Recently we published the article Cyber Investigations: The Footprints Left Behind, where we described how vital it is to conduct cyber investigations with forethought of what traces you leave behind. This follow-up article helps provide some of the solutions that can be employed to conduct cyber investigations anonymously.

This article discusses how to use different types of technologies to obscure your presence during the online reconnaissance phase of the investigation. The two main focal points are the different online Web resources and use of different locally installed technologies that can be used to obfuscate your actions. It is important to remember that when you are investigating a target on the Internet, you will leave some type of footprint on that remote system. Before you reach out and touch that remote system, you need to identify what level of anonymity you want to achieve. Is it okay for a non-attributable IP address to show up in their access logs, mixed among a few other scattered IP addresses? Or does your presence need to be 100% covert? These are some of the questions to address before conducting online investigations.

Online Obfuscation Services
There are several online services that allow an investigator to gather intelligence on a remote host or domain. One such site is centralops.net. This Web site allows you to perform WHOIS lookups on a domain, traceroute to it to determine if the Web site or host is up, and identify its geo-location. The most useful function of the site is that it allows you to scan for a small number of common services, such as Web (port 80), mail (port 25), FTP (port 21), POP3 (port 110), and IMAP (port 143). This can be helpful if you want to find out if a system you are investigating is running a certain service. Of course NMAP or another scanner can provide this same output and more, but unless you go through a proxy your IP address will be recorded on the destination site’s log files.

Another good online resource is serversniff.net. As the name implies, this Web site provides a series of online investigative tools that can identify information on servers residing on the Internet. Serversniff.net provides many different services, such as displaying all the subdomains for a domain of interest, providing the ASN for an IP address, or providing an HTML page’s source code. Below are two examples of the type of subdomain information that can be found. The first figure is a graphical example of the hosts residing on in the foobar.com domain.

Figure 1: Anonymously mapping out hosts within a domain

The second example is the information that can be obtained. As shown in Figure 2 below, just by providing the domain foobar.com, all the servers within that domain are revealed, along with their IP address and some indication of the services they are providing. This is very helpful when mapping out a criminal infrastructure that is attached to a known bad domain name.

Figure 2: ServerSniff's extraction of domain information

Another really great reconnaissance tool on Serversniff.net is the Show HTML Hyperlinks. This maps out all the hyperlinks on a Web site. Since this is done through Serversniff’s Web site, your source IP address is not logged in your target’s Web logs.

Figure 3: Serversniff's Show HTML Hyperlinks

While the online tool from Serversniff.net will show all of the hyperlinks on a page, another helpful set of tools allows you to mirror, or pull down the entire Web site and its contents. This allows for the whole contents of the Web site to be analyzed offline, including pulling down all the files and images. This action creates a lot of noise in the target site’s Web logs. A couple tools that provide these capabilities are Black Widow (Softbyte Labs) and Teleport Pro (Tenmax). These tools are Windows GUI based, but the UNIX/Linux tool wget can provide similar services. Just remember that unless you obfuscate your IP address, it will be littered throughout your target’s Web logs.

This section of the article discusses the different ways to obfuscate your IP address. Online tools like Centralops and Serversniff are great, but as referenced in the first article, they still alert the target of your investigation. There may be enough traffic hitting their hosts that it will not matter. In the end, it only matters that the target can’t attribute the source IP address back to your organization.

At some point, the investigation will progress to reaching out to the remote site. This might be in the form of pulling down the Web site with wget, or actually visiting the site. This should be done through some layer of abstraction. First and foremost, you want to hide your source IP so the destination site does not log your actual IP address. If you can remove the association between the IP address and your organization, you have met that objective. This can be done a few different ways. There are different service options available, such as installing a DSL line, or purchasing a mobile hotspot such as a MiFi. When using a MiFi you do get a dynamic IP address but it is drawn from a shallow pool of IP addresses. These two options are a more static solution, but are still an option as long as the lines are registered covertly and not linked back to your organization. Because this is a more static solution, the source IP address might be blocked by a filtering device, especially if it appears that you were snooping around. Being able to rotate or change IP addresses can help resolve that problem. It is also very important to get the information you need the first time and not have to return to the host for a second or third time. This could raise suspicion.

VPN Solutions
Other options are VPN services and solutions such as TOR, The Onion Router. VPN services such as hidemynet.com and StrongVPN provide proxy and anonymous Internet services. These two examples are among many that allow you to connect to their network through a VPN tunnel, and exit from various cities around the world. For instance, Hide My Net offers exit nodes in the Netherlands, Germany, Turkey, Romania, Egypt, Singapore, and the United States.

These VPN solutions cost money. There are some free options, such as using online resources like hidemyass.com or Guardster. Hidemyass.com provides the ability to insert URLs into its Web form and browse remote sites using Hidemyass.com as the proxy. A good way to test this is to put the URL ip2location.com into the Web proxy URL field, as shown below in Figure 4. When visiting this page, the Web site will list your IP address and geographic location. As can be seen in the figure below, there are some advanced settings that allow you to select a particular exit node and disable JavaScript and Flash. This can be useful if you think the remote site might be severing up malware to its visitors.

Figure 4: Hidemyass Web proxy

With these free services, you will notice that the company banner is positioned across the top of the Web page. Most of the free solutions also offer paid versions. One thing to remember about all of these proxy/VPN services is that you are putting some level of trust into the people running them. Even if your traffic is encrypted as it traverses through the VPN, unless the traffic is encrypted all the way to the destination host, you are putting some level of trust in the exit node that has now decrypted your traffic and appears in plain text. This includes TOR, which is discussed below.

Using TOR for Anonymity
TOR is a great solution for hiding your source IP address. It was designed by the U.S. Naval Research Laboratory for the U.S. Navy. TOR is a network of nodes that are used to pass users’ traffic to a destination using encryption and routing through random paths to the destination host. The destination host will only see the IP address of the exit node, and not the source IP address of the client that actually initiated the communication. TOR only works with TCP traffic. Any application that provides SOCKS support can utilize TOR. Figure 5 provides high-level view of how TOR works.

Figure 5: How TOR works

Just because your data in transit is encrypted and somewhat obfuscated by TOR, there are still things to consider to further hide or alter your true identity. It is important to know that a list of the TOR exit nodes is publicly available. A simple Google search can provide a list of TOR exit nodes, their IP addresses, service provider, and geographical locations. Some targets might block access from IP addresses that come from TOR nodes. This is important to know, because if you try to investigate a remote host through a TOR network and the remote site is blocking all TOR IP addresses, you might think the host is down when it’s not. Just because Internet traffic is coming from a TOR node, it is not indicative of law enforcement or a hacker’s activity. Some people just prefer an extra layer of privacy and obscurity.

Other Information Leaks to Consider
Another crucial issue is that, in older versions of TOR, the DNS requests were made out of band, which means they were not sent through the TOR proxy network. As referenced in the previous paper Cyber Investigations: The Footprints Left Behind, if the targets of your investigation control their own domain name server, the request for resolution that come from your IP address will be logged. If an investigator is using TOR to investigate a target Web site, their source IP address would appear as the IP address of the exit node from the TOR network, but the original DNS request would be from the investigator’s actual source IP address. TOR resolved this issue back in June of 2010, so all current versions TOR provide the ability to obfuscate DNS requests. There are other solutions as well, such as, using SOCKS5 proxies.

Even though your source IP address is hidden while using proxies such as TOR, your user agent string will still be passed to the destination Web site. Depending on what you are trying to accomplish, your user agent might tip off the target. If you are posing as a non-English speaker and your user agent string shows that your language tag is in English “en-US” it could raise some suspicion. Figure 6 is an example of a user agent string from the Mozilla 5.0 Web browser. It could be suspicious if your user agent string shows you are running Linux and you claim to be non-technical. Usually non-technical people do not use UNIX or Linux based systems.

Figure 6: Example of a user agent string

Summary
It is very important to make sure that before you reach out onto the Internet to gather evidence for your case, you ensure you are covering your tracks. Think before you act, as your actions could leave an unwanted footprint for your adversary. If you use third-party services, such as VPNs or proxies, make sure you perform due diligence to ensure the service provider is a reputable company. Remember, they will have access to all your traffic data as it leaves their network. When using proxies it is also important to test and make sure that all of your network traffic is using the proxy services. Remember that some portions of your Internet requests might not utilize the proxy, such as out of band DNS requests.

Application Suggestions
There are different ways that TOR can be accessed and used. The TOR Browser Bundle has a self-contained browser, called Aurora that allows you to utilize the TOR network without installing any software. This browser is operating system independent and can even be run off a USB device or DVD. Firefox has a plugin, FoxTor, which makes it easy for a user to connect to the TOR network and browse the Internet. Both Chrome and Firebox has plugins that allow you to switch your user agent string. You can set any value you desire.

Mark Wade is the Vice President of EdgePoint Security, LLC. In past careers Mark has performed digital forensics for a Federal Law Enforcement agency as a government contractor. The forensic work performed was investigating computer and network intrusion, user profiling, and various other Internet investigations. Other prior work included computer/network security for the past twelve years with specific focus in penetration testing, IDS and firewall management, incident response, and malware analysis. EdgePoint Forensics specializes in computer and network forensics, Operational Investigative Support for cyber crime, and computer forensics training. www.edgepointsecurity.com; mark.wade@edgepointsecurity.com