The FBI wants Apple to help it access the iPhone owned and used by the terrorists who killed 14 people in San Bernardino, Ca. last year. Apple has refused and, in fact, has challenged the request in court. The battle is ongoing.

But hacking into iPhones is not new to the government. Actually, they’ve been doing it for a long time, and the process is as simple as purchasing a $200 IP box that’s easily available on eBay. The device is simple to use—connect the phone to the box and it zips through every possible PIN combination until it unlocks the phone. This method of hacking is called “brute-forcing.”

I know, Apple installed a safety that erases a phone’s data after 10 failed attempts to log in. BUT, the IP box is one step ahead of the game because it cuts power to the phone after each attempt, therefore the log-in attempts don’t accumulate.

Here’s a video of the device unlocking an iPhone with a 4-digit code. It takes a couple of minutes so prepare to yawn a few times before the exciting climax when the code appears and the phone unlocks. By the way, this process has been known to take as long as 111 hours (40 seconds for each PIN attempt).

Apple claims they plugged this security “hole” after iOS 8.1, but law enforcement experts say they’ve used brute-forcing devices to unlock the later versions.

It’s believed that the number of iPhones vulnerable to brute-forcing exceeds 100 million.

In the current argument/case between Apple and the U.S. government, the phone in question, the one used by the San Bernardino terrorists, runs iOS 9, which is protected against a brute-forcing attack.

So, the battle goes on.

In the meantime, rest assured that hackers, for whatever reasons, are working diligently to gain access to the latest iPhone models, leaving us to wonder if the newer Apple iPhones will continue to remain protected against falling from a poisonous tree.

Cyber attacks and warfare are among the greatest threats to the United States.  The federal government and private industry spend billions of dollars every year in people and technology to defend critical systems and data.  Our cyber defenders must stop the threat every time an intrusion attempt is made, but our adversaries only have to get it right once.  Daily media reports of cyber breaches, loss of personal information, disclosure of classified information, and state-sponsored advanced persistent threats (APTs) fill the headlines.

Image courtesy of TrendMicro

Government agencies and the private sector are attacked literally every hour of every day by unskilled hackers trying for any vulnerability they can find.  The real concerns however, are organized crime rings and foreign countries that have armies of highly skilled attackers with the financial backing and patience to get into networks and stay inside once they have created an opening.  These organizations will pay developers thousands of dollars to create custom malware, often referred to as “zero day” attacks that will slip past network security defense-in-depth systems and exploit computers because security systems haven’t seen this new threat before and don’t know to stop it.

A common tactic used by attackers is to obfuscate their Internet Protocol (IP) address, making it more difficult to trace illegal activity and to put blocks in place on network devices such as firewalls or routers.  One way this obfuscation occurs is when an attacker hijacks another computer and then uses the hijacked computer to do their criminal activity.  These hijacked computers are often referred to as “jump points.”  When an attacker uses a jump point to do their hacking, it will make it look like the jump point was the source of the attack.

When I was in law enforcement I investigated a case just like what was described above.  An organized crime ring found a vulnerable computer in the Pacific Northwest that they exploited and took control over, making it their jump point.  The attacker then used this jump point to exploit another computer that belonged to an employee of a medical facility.  Once the medical center computer was compromised, the attacker proceeded to obtain the credentials necessary to drain tens of thousands of dollars from the medical center’s bank account.

During the investigation, an IP address was identified as the source of this attack.  I obtained a subpoena for the Internet Service Provider (ISP), which held that IP address and discovered it was assigned to an elderly couple in a nearby state at the time of this attack.  A search warrant was obtained for their residence and law enforcement seized their computer and sent it to us for analysis.  In short, we discovered that this unfortunate elderly couple had nothing to do with this attack except for providing a high-speed Internet connection and vulnerable computer to the attacker.  We were never able to identify the attacker in this case.

Image courtesy of techweekeurpose.co.uk

The case highlighted above is financially motivated, but it could have easily been an attacker using this jump point to hack into national security information or the energy infrastructure.  There are some easy steps any computer owner can take to harden themselves against becoming an accomplice to a cyber-terrorist.   Some of the steps computer users can do to protect themselves and the country include:

1. Always have anti-virus software installed and updated daily with the latest definitions.
2. Install operating system security patches and updates.
3. Keep third-party software applications updated.
4. If using WiFi at home, ensure it is protected with encryption and consider other steps such as MAC address filtering and hiding the SSID.
5. Turn off your computer and/or Internet connection if away for an extended amount of time.
6. Use a firewall (software or hardware).
7. Don’t click on links embedded in email messages when they are suspicious or untrusted.
8. Use tough passwords and don’t re-use passwords (e.g., don’t use the same password to login to your computer as you do for your email and Internet banking).
9. Use encryption on all your devices when available.

Everyone should practice these and other information security steps to protect themselves from becoming a victim of identity theft, financial fraud, forgery, and other criminal activity.  By reducing the number of exploitable computers within the United States it protects our citizens and our nation from this type of cyber attack.

*     *     *

Josh Moulin has a long history of public service, beginning in 1993 as a Firefighter and EMT. After eight years of working assignments including; suppression, prevention, training, and transport ambulance, Josh left the fire service with the rank of Lieutenant when he was hired as a police officer.

Josh spent the next eleven years in law enforcement working various assignments. Josh worked as a patrol officer, field training officer, arson investigator, detective, forensic computer examiner, sergeant, lieutenant, and task force commander.

The last seven years of Josh’s law enforcement career was spent as the commander of a regional, multi-jurisdictional, federal cyber crime task force. Josh oversaw cyber crime investigations and digital forensic examinations for over 50 local, state, and federal law enforcement agencies. Under Josh’s leadership, the forensics lab was accredited by the American Society of Crime Lab Directors / Laboratory Accreditation Board (ASCLD/LAB) in 2009.

Josh has been recognized as a national expert in the field of digital evidence and cyber crime and speaks across the nation on various topics. He has testified as an expert witness in digital forensics and cyber crime in both state and federal court on several occasions. He also holds a variety of digital forensic and law enforcement certifications, has an associate’s degree and graduated summa cum laude with his bachelor’s degree.

In 2012 Josh left law enforcement to pursue a fulltime career in cyber security, incident response, and forensics supporting a national security federal agency. Josh now leads the Monitor and Control Team of a Cyber Security Office and his team is responsible for daily cyber security operations such as; incident response, digital forensics, network monitoring, and log analysis. Josh also holds an active Top Secret security clearance.

Josh is happy to answer questions for authors and can be contacted at:

Website: http://JoshMoulin.com

LinkedIn: http://www.linkedin.com/in/joshmoulin

Twitter: https://twitter.com/JoshMoulin

Facebook: http://www.facebook.com/joshmoulincom

Google+: https://plus.google.com/u/0/b/103854822765147479965/103854822765147479965/posts

YouTube: http://www.youtube.com/user/JoshMoulin

background: #bd081c no-repeat scroll 3px 50% / 14px 14px; position: absolute; opacity: 1; z-index: 8675309; display: none; cursor: pointer; top: 188px; left: 333px;”>Save

Lieutenant Josh Moulin supervises the Central Point Police Department’s Technical Services Bureau and is the Commander of the Southern Oregon High-Tech Crimes Task Force. He is one of approximately 470 Certified Forensic Computer Examiner’s worldwide and has been trained by a variety of organizations in digital evidence forensics. Lt. Moulin has also been qualified as an expert witness in the area of computer forensics and frequently teaches law enforcement, prosecutors, and university students about digital evidence.

Beginning his public safety career in 1993, Josh started in the Fire/EMS field working an assortment of assignments including fire suppression, fire prevention, transport ambulance, and supervision. After eight years Josh left the fire service with the rank of Lieutenant and began his law enforcement career. As a Police Officer Josh has had the opportunity to work as a patrol officer, field training officer, officer in charge, arson investigator, detective, and sergeant.

For further information about the Central Point Police Department please visit www.cp-pd.com, and for the Southern Oregon High-Tech Crimes Task Force visit www.hightechcops.com. To reach Sgt. Moulin you can e-mail him at joshm@hightechcops.com.

Southern Oregon High-Tech Crimes Task Force Attains Accreditation

It has been a while since I have blogged for Lee, and part of the reason behind that is because I have spent the last year working on getting our forensics laboratory accredited. I thought I would provide some information about lab accreditation in this blog.

Between blogs I have received several emails from different authors asking questions and I am always happy to reply. If you have any questions for me surrounding high-tech crimes or digital evidence (or other police related questions), feel free to send me an email.

On July 17th 2009 the Southern Oregon High-Tech Crimes Task Force attained the prestigious American Society of Crime Laboratory Directors Laboratory Accreditation Board (ASCLD/LAB) Accreditation and joined the ranks of some of the most premier digital evidence forensics laboratories in the world.

ASCLD/LAB (www.ascld-lab.org) offers voluntary accreditation to any crime lab that can comply with their large number of standards. Criteria include all aspects of operations such as management, personnel training and qualifications, health and safety, evidence handling, proficiency testing, lab security, and forensic practices. Part of the accreditation process is an onsite inspection by ASCLD/LAB trained professionals who inspect the laboratory, interview personnel, and review case files and practices. As of September 13th 2009, there are 366 crime labs accredited by ASCLD/LAB worldwide.

After over a year of dedicated hard work and preparation, the Southern Oregon High-Tech Crimes Task Force (SOHTCTF) achieved their accreditation for the Digital and Multimedia Discipline in both the computer and video forensic sub disciplines. There are 97 different quality standards applicable for digital forensics laboratories that are rated as Essential, Important or Desirable. The task force complied with 100% of the Essential, 92% of Important (only 75% required), and 94% of Desirable (only 50% required).

The SOHTCTF is the only standalone local law enforcement digital evidence forensics laboratory to be accredited by the ASCLD/LAB legacy program in the world. The SOHTCTF joins only 54 other laboratories in the world that are accredited to perform some aspect of forensic analysis on digital evidence.

(Left to Right: – Det. Bloomfield, Lt. Moulin, Support Specialist Miller)

According to a letter announcing the SOHTCTF’s accreditation, ASCLD/LAB Chair Jami St.Clair wrote, “Accreditation is granted only after a thorough evaluation of a laboratory’s management practices, personnel qualifications, technical procedures, quality assurance program and facilities. Accreditation is the result of extensive commitment of resources and much preparation by the management and personnel in your laboratory.”

Accreditation provides reassurance that the task force’s work is of the highest quality and the laboratory and personnel have gone through an external review by an independent organization.

Background on the Southern Oregon High-Tech Crimes Task Force

The SOHTCTF was first created by the City of Central Point Police Department in 2005 and in 2007 was joined by personnel from the City of Medford Police Department. The SOHTCTF is a regional, multijurisdictional task force performing cyber crime investigations and digital evidence forensics for approximately 30 federal, state and local law enforcement agencies throughout Oregon. Some of the agencies include the FBI, DEA, ICE, BLM, DOJ, Oregon State Police and multiple agencies in Jackson, Josephine, Douglas, Curry and Klamath Counties. While the task force typically provides services throughout Oregon, it has assisted in investigations in the States of Washington, California, Idaho, Montana and Texas.

The SOHTCTF performs forensic examinations on digital evidence such as computers, cellular phones, servers, removable media, digital cameras and other peripheral devices to support criminal investigations such as homicides, terrorism, child sexual exploitation, white collar crimes, and other felony crimes. In addition, the task force conducts proactive undercover Internet investigations and a large amount of public education courses. To date the task force has provided 218 hours of training to over 1800 people nationwide.

The examiners within the task force are highly trained and certified and have all been qualified as expert witnesses in digital forensics in both state and federal court on numerous occasions. The SOHTCTF examiners are recognized nationwide and frequently called upon to teach across the nation for organizations such as the National District Attorney’s Association, National Center for the Prosecution of Child Abuse and the National Association of Attorneys General, teaching how to investigate and prosecute technology based crimes against children.

The SOHTCTF has seen a 28% increase in cases submitted and an 8% increase in the amount of evidence submitted for forensic analysis from just last year. As electronic evidence continues to play a very important role in nearly every criminal investigation, becoming accredited is more critical than ever.

I hope everyone has a Merry Christmas and Happy New Year.

background: #bd081c no-repeat scroll 3px 50% / 14px 14px; position: absolute; opacity: 1; z-index: 8675309; display: none; cursor: pointer; top: 580px; left: 20px;”>Save

Lieutenant Josh Moulin supervises the Central Point Police Department’s Technical Services Bureau and is the Commander of the Southern Oregon High-Tech Crimes Task Force. He is one of approximately 470 Certified Forensic Computer Examiner’s worldwide and has been trained by a variety of organizations in digital evidence forensics. Lt. Moulin has also been qualified as an expert witness in the area of computer forensics and frequently teaches law enforcement, prosecutors, and university students about digital evidence.

Beginning his public safety career in 1993, Josh started in the Fire/EMS field working an assortment of assignments including fire suppression, fire prevention, transport ambulance, and supervision. After eight years Josh left the fire service with the rank of Lieutenant and began his law enforcement career. As a Police Officer Josh has had the opportunity to work as a patrol officer, field training officer, officer in charge, arson investigator, detective, and sergeant.

For further information about the Central Point Police Department please visit www.cp-pd.com, and for the Southern Oregon High-Tech Crimes Task Force visit www.hightechcops.com. To reach Sgt. Moulin you can e-mail him at joshm@hightechcops.com.

Online Games and Child Exploitation
From the Case Files of the Southern Oregon High-Tech Crimes Task Force

On Sunday February 24th 2008 I received a phone call at home from an Oregon State Police Detective asking for my assistance with a person they just arrested. The Detective told me that a man was just stopped on Interstate 5 by State Troopers who was a suspect in a kidnapping from California. The suspect had with him some computer equipment and cell phones and the State Police wanted some help with seizing the digital evidence.

I left home and met the State Police Detective at his office. In custody was a male adult named David Anthony Faboo and in protective custody was a 16-year-old female from California. I assisted the State Police by taking possession of all the digital evidence in a forensically sound manner. The Detective briefed me on the case and explained that Faboo was suspected of traveling down to Wheatland California and picking up the 16 year old from her home and brining her back up to Oregon.

The female victim’s parents realized their daughter was missing and called the local police department. Through the course of the Wheatland Police Department’s investigation they began to track the location of the victim girl’s cell phone. During the cell phone tracking it was found her phone was traveling northbound on Interstate 5 near Grants Pass Oregon and the Oregon State Police located the vehicle and stopped it.

Since this case involved the suspect traveling over state lines the Federal Bureau of Investigation from the Sacramento Field Office became the lead agency. During the next several weeks after Faboo’s arrest I sifted through all of the digital evidence and sent a report to the FBI of the findings. The FBI, Wheatland
Police, the Oregon State Police and the Southern Oregon High-Tech Crimes Task Force conducted an extensive investigation. It is alleged that Faboo met the teen girl through the website MySpace.com and through the online game World of Warcraft.

Faboo’s truck had a makeshift bed built by plywood in the back along with knives, rope, condoms, and sex toys (all details made public in this case). It is unknown what Faboo’s true intentions were, but on April 4th 2008 David Anthony Faboo was indicted by a Federal Grand Jury on two counts of Transporting a Minor Across State Lines for Purposes of Criminal Sexual Activity. Faboo remains in custody in Sacramento today.

Nearly every electronic gaming system sold on the market today has the ability to be connected to the Internet. Having a game system connected to the Internet allows users to download new games and content, do system upgrades, and to play games against people all over the world. In addition to game systems such as the Wii, Nintendo DS, Xbox and Playstation there are many games for computers to be played on the Internet as well.

Most games allow for online communication to occur between players ranging from typed messages to headsets in which the players talk to each other. Being able to communicate with a fellow teammates or to an online enemy can make a game more realistic and help people strategize. It can also introduce children to people who are playing these games for a far more sinister reason, to find their next victim.

Sexual predators will disguise themselves as teenagers playing these games and begin to create online relationships with children. Over time, these sexual predators will begin asking questions that seem harmless to children and teenagers such as the school they attend, their after school schedule, sports activities, what their parents do for work, etc. Coming from “another kid” a child may not see the harm in answering the questions. The reality is that they just may have provided that information to an online sexual predator.

After establishing a rapport with a child, these sexual predators will get them distracted by playing an intense online game and then ask them more specific and personal questions. They know exactly what they are doing and how to get the information they are looking for. If they don’t get it from one child, they’ll quickly move onto the next.

In addition to sexual predators, these online gamming areas can expose children to explicit language and other content that may not be suitable for younger children. It is important that parents realize this potential exists and that kids and teens know who to go to when something happens on the Internet or an online game that makes them feel uncomfortable.

David Faboo is looking at a maximum penalty for his charges of life in prison with a mandatory minimum penalty of 10 years. He should be considered innocent unless and until he is proven guilty beyond a reasonable doubt.

background: #bd081c no-repeat scroll 3px 50% / 14px 14px; position: absolute; opacity: 1; z-index: 8675309; display: none; cursor: pointer; top: 881px; left: 20px;”>Save

Lieutenant Josh Moulin supervises the Central Point Police Department’s Technical Services Bureau and is the Commander of the Southern Oregon High-Tech Crimes Task Force. He is one of approximately 470 Certified Forensic Computer Examiner’s worldwide and has been trained by a variety of organizations in digital evidence forensics. Lt. Moulin has also been qualified as an expert witness in the area of computer forensics and frequently teaches law enforcement, prosecutors, and university students about digital evidence.

Beginning his public safety career in 1993, Josh started in the Fire/EMS field working an assortment of assignments including fire suppression, fire prevention, transport ambulance, and supervision. After eight years Josh left the fire service with the rank of Lieutenant and began his law enforcement career. As a Police Officer Josh has had the opportunity to work as a patrol officer, field training officer, officer in charge, arson investigator, detective, and sergeant.

For further information about the Central Point Police Department please visit www.cp-pd.com, and for the Southern Oregon High-Tech Crimes Task Force visit www.hightechcops.com. To reach Lt. Moulin you can e-mail him at joshm@hightechcops.com.

Cellular Phone Evidence

When cell phones were first introduced criminals wasted no time putting them to use for their criminal enterprises. A favorite tool of drug dealers, having a cell phone eliminated the need to find the neighborhood phone booth to make all their dope calls. Law enforcement would seize these early cell phones and manually go through the information available, which at that time were a phonebook and a call log if they were lucky.

As the years went by cell phones progressed to being able to store large contact lists including phone numbers, addresses, e-mail addresses and names, call logs that kept history of incoming, outgoing and missed calls, and special ring tones provided by the manufacturer. In many criminal cases investigators are interested in who the phone owner called, who called them and who their associates were. With cell phone forensics not available yet, most investigators would hand write all of the information from the phone, a slow yet effective way to get what was needed.

Speed up to 2008; cell phones are now nothing less than small personal computers. Cell phones have the ability to store contacts, call logs, music, pictures, videos, e-mails, text messages, documents, spreadsheets, ring tones and even have built-in color still and video cameras. The amount of evidence that can potentially reside in the memory of a cell phone is mind-boggling.

As cell phones continue to act more like computers, the days of the on-scene investigator “browsing” the contents of a phone is quickly coming to an end. If a police officer browses the contents of a phone in a non-forensic manner there is the potential of changing or destroying evidence, which could damage the case and certainly call the officer’s action into question in court.

With cellular phone forensic training and equipment available to law enforcement for the past few years, an investigator can send a cellular phone off to a forensic lab and generally get back a large amount of data. In our lab it is very common to recover pictures and videos taken by the cell phone, which clearly show criminal activity and can become crucial in a case. I can’t count the number of times I have examined cell phones for a narcotics case just to find pictures of the suspect possessing, manufacturing, or using drugs. I have also had several sex abuse cases where the suspect actually videotaped committing the sex crime with the cell phone.

Since there is no standard when it comes to how cell phones are manufactured, there is no “catch-all” forensic software suite or tools that will examine all phones. Forensic labs that do cell phone examinations often have several different software applications and dozens, if not hundreds of data cables to interface with all the phones on the market. Cell phone forensics is a quickly evolving field that can be expensive to stay in.

In addition to the internal phone memory, many cell phones are equipped with a SIM (Subscriber Identity Module) card. This SIM card, which is about the size of a postage stamp, contains information about the phone, which allows it to authenticate on the network, as well as other data. SIM cards can contain contact information, last numbers dialed, text messages, deleted text messages, and more.

Compiled with all the evidence located on the actual phone itself and a SIM card (if present), getting information from the cellular service provider can give investigators enormous insight into a case. After serving sufficient legal process on the cell provider information such as tower locations, call logs and subscriber information are made available to law enforcement. It is possible in many cases to use GPS coordinates and tower locations given by the provider to track the movements of a cell phone. In a case where police are trying to place a suspect at the scene of a crime, this can be invaluable.

background: #bd081c no-repeat scroll 3px 50% / 14px 14px; position: absolute; opacity: 1; z-index: 8675309; display: none; cursor: pointer; top: 516px; left: 20px;”>Save