image and a single dropzone for files to be sent. On dropping a file, the background javascript helpers manage the file upload to their servers. Once uploaded ...
HTML5 ZERO CONFIGURATION COVERT CHANNELS: SECURITY RISKS AND CHALLENGES Jason Farina
Mark Scanlon Nhien-An Le-Khac
Stephen Kohlmann Tahar Kechadi
School of Computer Science & Informatics, University College Dublin, Ireland. {jason.farina, stephen.kohlmann}@ucdconnect.ie, {mark.scanlon, an.lekhac, tahar.kechadi}@ucd.ie
ABSTRACT In recent months there has been an increase in the popularity and public awareness of secure, cloudless �le transfer systems. The aim of these services is to facilitate the secure transfer of �les in a peer-topeer (P2P) fashion over the Internet without the need for centralized authentication or storage. These services can take the form of client installed applications or entirely web browser based interfaces. Due to their P2P nature, there is generally no limit to the �le sizes involved or to the volume of data transmitted � and where these limitations do exist they will be purely reliant on the capacities of the systems at either end of the transfer. By default, many of these services provide seamless, end-to-end encryption to their users. The cybersecurity and cyberforensic consequences of the potential criminal use of such services are signi�cant. The ability to easily transfer encrypted data over the Internet opens up a range of opportunities for illegal use to cybercriminals requiring minimal technical knowhow. This paper explores a number of these services and provides an analysis of the risks they pose to corporate and governmental security. A number of methods for the forensic investigation of such transfers are discussed.
Keywords 1.
: Covert Transfers, Encrypted Data Transmission, Counter-forensics
INTRODUCTION
or duplicated and their data being downloaded by others. Regarding the security of their data
sending anything
stored on this third-party provider, users must
larger than a single image or document electron-
blindly trust this third-party to not access or
ically is still a cumbersome task when reliant on
share their data with any unauthorized party.
For the typical home user,
popular online communication methods.
Most
While the requirement to send larger volumes
email providers will limit the �le size of attach-
of information over the Internet is ever increas-
ments to something in the order of megabytes
ing, the potential for third-party interception, or
and many will additionally restrict �le types such
illicit access to, this data has become a common
as executables or password protected archives
story in the general media.
based on internal security policies.
Sending
whistle-blowers regarding the degree of surveil-
larger �les usually requires users to upload the
lance conducted by large government funded spy-
content to third party storage providers, e.g.,
ing agencies on everyday citizens has pushed the
Dropbox, OneDrive, Box.net, etc., and provide
topic of cybersecurity into the public realm. In-
a link to the content to their intended recipients.
creasingly, Internet users are becoming conscious
From a security standpoint, this leaves user vul-
of their personal responsibility in the protection
nerable to their communication being intercepted
of their digital information. This results in many
1
Recent leaks from
users being discontent with their personal data
work has been conducted on the reverse engi-
stored on these third party servers � likely stored
neering/evidence gathering of these anonymizing
in another jurisdiction with privacy requirements
P2P proxy services, little work has been done in
much lower than those of their own locale.
the area of online services providing end users
To respond to this demand a number of �le ex-
with the ability to securely and covertly transfer
change/transfer services have grown in popular-
information from peer to peer in an largely unde-
ity in recent months facilitating the secure trans-
tectable manner. This work presented as part of
fer of �les in a peer-to-peer (P2P) fashion from
this paper examines a number of popular client
point A to point B. Most of these services a�ord
application and web based services, outlines their
the user encrypted end-to-end �le transfer and
functionality, discusses the forensic consequences
add an additional level of anonymity compared
and proposes a number methods for potentially
to regular �le transfer services, e.g., email at-
retrieving evidence from these services.
tachments, FTP or instant message �le-sharing. The more security concerned users will opt for
2.
BACKGROUND READING
the cloudless versions of these services. This in-
The technology used to facilitate covert �le trans-
dependent control over personal information has
fers is not new, however, until recently such mea-
advantages and disadvantages for the end user.
sures were deemed too complex to be considered
The advantage is that the user has precise knowl-
of bene�t to the average user.
edge over who has initial access to his/her infor-
FTP servers, dynamic DNS for public IP based
mation and what country the data is stored in.
system shares and management of public/private
The downside comes in terms of reliability. The
keypairs for SSH are not tasks a non-technical
data stored or transferred using these services is
individual can accomplish without technical as-
only available if at least one host storing the �le
sistance or a very thorough how-to guide.
is online.
current transfer options, while easy to implement
Maintenance of
The
As with most security or privacy enhancing In-
and in some cases, completely transparent to the
ternet services, these services are open to abuse
user, can all be found to have a more complex
by cybercriminals. In e�ect, the additional level
root in one of the following methods or tech-
of anonymity and security provided by these ser-
niques.
2.1 Anonymizing Services
vices provides cybercriminals with �o�-the-shelf � counter-forensic capabilities for information exchange.
Today
Cybercriminal activities such as data
there
are
many
anonymizing
services
ex�ltration, the distribution of illicit images of
available for communication and data transfer.
children, piracy, industrial espionage, malicious
The popular anonymous browser Tor allows users
software distribution, and can all potentially be
to explore the Internet without the risk of their
facilitated by the use of these services.
The ad
location or identity becoming known [Loesing
hoc nature and mainstream protocol features of
et al., 2010]. The Tails operating system which
some of these services make secure detection and
works in conjunction with Tor o�ers an extra
prevention problematic without causing disrup-
layer of anonymity over traditional operating sys-
tion to normal Internet usage. This also causes
tems. When a user is operating Tails all connec-
forensic event reconstruction di�culties as any
tions are forced to go through the Tor network
traces have a high degree of volatility when com-
and cryptographic tools are used to encrypt the
pared to more traditional �le transfer options.
users data.
1.1 Contribution of this work
The operating system will leave no
trace of any activity unless explicitly de�ned by the user to do so.
For many, the topic of covert channels immedi-
The Invisible Internet Project, also known as
ately brings to mind some form of steganography
I2P is another anonymous service similar to Tor.
likely in combination with an Internet anonymiz-
As I2P is designed as an anonymous network
ing service, such as Tor and I2P. While some
layer which will allow users to utilize their own
2
applications across the network. Unlike Tor cir-
ferred to as Vaults.
This allows the authorized
cuits the I2P network tra�c utilises multiple lay-
member access from any location and resilience
ers of encryption and an addressing system not
should a portion of the network not be active at
based on IP or ISP to provide anonymity. This
any time. All data stored on the network is dedu-
process decouples a user's online identity and
plicated and replicated in real time with �le sig-
physical location [Timpanaro et al., 2014].
I2P
natures to ensure integrity. In addition the data
also groups network messages together in irreg-
is encrypted allowing secure storage on untrusted
ular groupings for encryption to discourage net-
remote systems.
work tra�c analysis.
Like Tor, I2P allows for
through a two factor authentication process in-
passage through its network to a server or service
volving a password and pin combination. The use
not hosted within its area of in�uence.
This is
of the MAIDSafe network is incentivized through
managed through the use of �Outproxies� which
SafeCoin, a cryptocurrency that members can
perform the same function as Tor exit nodes.
earn by renting out space or providing resources
Authorized access is managed
Both Tor and I2P provide anonymity to the
such as bandwidth for �le transfers. Other users
user with an open network of onion routers in
can earn SafeCoins by participating in develop-
the case of Tor and Garlic routing in the case of
ment of the protocol.
2.3 Data Ex�ltration through Standard File Transfer Channels
I2P. These networks of routers are run by participating volunteers and it is continually growing. The result of this network growth is an increase in anonymity and privacy for each individual user
Data ex�ltration refers to the unauthorized ac-
[Herrmann and Grotho�, 2011].
cess to otherwise con�dential, proprietary or sen-
However these
services are not without drawbacks such as a se-
sitive information.
Giani et al. [2006] outlines
vere reduction in network throughput resulting
a number of data ex�ltration methods includ-
in much slower access speeds (though I2P has
ing most regular �le transfer methods for �inside
greater reported performance than Tor, in par-
man� attacks, e.g, HTTP, FTP, SSH and email,
ticular for P2P downloading protocols but it has
and external attacks including social engineering,
fewer Outproxies than Tor has exit nodes result-
botnets, privilege escalation and root-kit facili-
ing in a lesser degree of anonymization). Many
tated access.
software packages (those not SOCKS aware in
ods is possible using a combination of �rewalls
the case of Tor) are not designed to correctly
and network intrusion detection systems or deep
route through these services and will instead pro-
packet inspection [Liu et al., 2009, Sohn et al.,
vide information that will potentially reveal the
2003, Cabuk et al., 2009].
Detection of most of these meth-
the end user, there is also the issue of adding yet
2.4 File Delivery Services Built on Anonymizing Networks
another step to the already technical task they
OnionShare is a �le sharing application that
�nd themselves performing.
leverages the anonymity of Tor to provide secure
identity of the user such as the local, true, IP address for response tra�c to be delivered to. For
2.2 Decentralized O�site Data Storage
�le transfers for its users. File transfers are direct
The MAIDSafe network is a P2P storage facility
itself is a python based application that sets up
that allows members to engage in a data stor-
a �le share on the local system as a limited web
age exchange. Each member of the network en-
server.
ables the use of a portion of their local hard
Tor Hidden Service using the built in function-
drive by other members of the network.
ality of the Tor browser.
from uploader to recipient though both users utilize the Tor browser to participate. OnionShare
In re-
This web server is then advertised as a The application uses
turn the member is given the use of an equiv-
random data to generate a 16 character onion ad-
alent amount of storage distributed across the
dress and more random data to generate a unique
network and replicated to multiple locations re-
name for the �le being shared to use as a refer-
3
any trace of the once o� connection to the down-
ence for.
load point, if not already lost from local connec-
The process used by OnionShare is as follows:
tion logs or memory, will only lead to a Tor entry 1. Uploader starts Tor Browser to provide an
point and not to the actual source of the �le.
entry point for OnionShare to the Tor network.
3.
OnionShare is started and a temporary di-
TECHNIQUES
rectory is created in the users' default temp folder.
INVESTIGATIVE
While no work targeted speci�cally at foren-
All randomly generated names in
sic investigation of these zero con�guration ser-
OnionShare follow the same procedure:
vices has been published at the time of writing, (a) A number of random bytes are gener-
there are a number of digital evidence acquisition
ated using os.random. 8 are generated
methods published for related services.
for a directory/host name and 16 for
has , however, been security focused work pub-
the �lename "slug" used to generate
lished on HTML5 additions including an analysis
the �le portion of the share URL
of the
webstore
and
localstore
There
introduced in
(b) These random bytes are SHA-256 and
this version of the protocol such as that produced
the rightmost 16 characters of the re-
by Bogaard and Parody [2012]. This section out-
sulting hash are carved
lines a number of related investigation techniques and analyses their relevancy to the forensic recov-
(c) h is then Base32 encoded, all charac-
ery of evidence from covert �le transfer services.
ters are converted to lower case and any
3.1 Cloud Storage Forensics
trailing `=' signs are removed
Forensics of cloud storage utilities can prove chal-
2. The result is then used as a URL using the format
.onion/
lenging, as presented by Chung et al. [2012a].
and this is
The di�culty arises because, unless complete lo-
the url the Tor browser advertises to the in-
cal synchronization has been performed, the data
troduction nodes and registers on DHT.
can be stored across various distributed locations.
3. The uploader then sends the URL to the
For example, it may only reside in tem-
downloader who must use the URL within
porary local �les, volatile storage (such as the
a timeframe (24 hours by default) or the
system's RAM) or dispersed across multiple dat-
signature of the �le HS timestamp will not
acenters of the service provider's cloud storage
match, a process controlled by the ItsDan-
facility. Any digital forensic examination of these
gerous library for python. In addition to this
systems must pay particular attention to the
time limit, OnionShare also utilizes a down-
method of access, usually the Internet browser
load counter which has a default value of
connecting to the service provider's storage ac-
1. Once the number of downloads success-
cess page (https://www.dropbox.com/login for
fully initiated matches this counter, the link
Dropbox for example).
is no longer considered valid and all incom-
serves to highlight the importance of live foren-
ing URLs with the same �le signature are
sic techniques when investigating a suspect ma-
refused.
chine as a �pull out the plug� anti-forensic tech-
This temporary access
nique would not only lose access to any currently This combination of time and availability in
opened documents but may also lose any cur-
conjunction with the anonymity of Tor makes
rently stored sessions or other authentication to-
OnionShare tra�c extremely di�cult to analyze
kens that are stored in RAM.
e�ectively. If the tra�c is observed then the link
Martini and Choo [2013] published the results
is already invalidated. Similarly, if the �le is dis-
of a cloud storage forensics investigation on the
covered on a local �lesystem by an investigator
ownCloud service from both the perspective of
4
the client and the server elements of the service.
tion.
They found that artifacts were found on both
Tor network requires advanced digital forensic
the client machine and on the server facilitating
knowledge as traditional investigation methods
the identi�cation of �les stored by di�erent users.
used for standard networks fail to heed the de-
The module client application was found to store
sired results.
authentication and �le metadata relating to �les
study measuring statistical data in the Tor net-
stored on the device itself and on �les only stored
work. The study is weighted towards protecting
on the server. Using the client artifacts, the au-
the users anonymity while using Tor but nonethe-
thors were able to decrypt the associated �les
less shows that it is technically possible to gather
stored on the server instance.
data on Tor users by setting up a Tor relay and
3.2 Network Forensics
The process of an investigation into the
Loesing et al. [2010] published a
logging all relayed user tra�c. When users install Tor the software �rst con-
Network Forensic Analysis Tools (NFATs) are de-
nects to one of the directory authorities. The di-
signed to work alongside traditional network se-
rectory authorities are operated by trusted indi-
curity practices, i.e., intrusion detection systems
viduals of Tor and from these authorities the Tor
(IDSs) and �rewalls. They preserve a long term
software downloads the list of currently available
record of network tra�c and facilitates quick
Tor nodes. These nodes are relay servers that are
analysis of any identi�ed issues [Corey et al.,
run by volunteers of Tor. The Tor client then se-
2002]. Most �rewalls allow HTTP and HTTPS
lects three nodes from those available and builds
tra�c through to allow users behind the �rewall
an encrypted channel to the entry node. An en-
to have access to regular web services which oper-
crypted channel is then built from the entry node
ate over these protocols. With regards to the web
to the middle node, and lastly this channel con-
based covert �le transfer services (outlined in de-
nects to the exit node.
tail in Section4 below), blocking network tra�c
Blond et al. [2011] demonstrated the results of
to these systems would require the maintenance
an attack on the Tor anonymity network that re-
of a comprehensive �rewall list of such servers to
vealed 10,000 IP addresses over 23 days. The au-
ensure no unauthorized data ex�ltration. NFATs
thors used the attack to obtain the IP addresses
collecting this information will only have the abil-
of BitTorrent users on Tor. The study found that
ity to capture the encrypted packets, their desti-
72% of users were speci�cally using Tor to con-
nation and associated metadata. Identifying pre-
nect to the tracker. The authors launched their
cisely what has been transferred will likely prove
attacks through six instrumented Tor exit nodes
impossible for network administrators.
resulting in 9 percent of all Tor streams being
The issue with always-on active network foren-
traced. Moreover, the paper analyses the type of
sics is dealing real-time with the large volumes
content discovered in the attack culminating in
of tra�c involved.
One approach to overcome
the result that the existence of an underground
the massive volume of network data to process is
BitTorrent ecosystem existing on Tor is plausi-
to simply record every packet sent and received
ble. Alongside these attacks Tor users were also
from the Internet, in the similar manner to the
pro�led. Using BitTorrent as the insecure appli-
tactic employed in the case outlined by Gar�nkel
cation they hijacked the statistical properties of
[2002]. This would facilitate an after-the-fact re-
the DHT and the tracker responses.
construction of any data breaches to aid in de-
4.
termining precisely what was compromised.
3.3 Deep-Web Forensics
EVOLUTION OF HTML5
POWERED COVERT FILE
Although Tor and I2P are designed for users
TRANSFER SERVICES
to communicate and transfer data on the Inter-
While services like Onionshare provide a method
net anonymously it is still viable and possible
of �le transfer that is di�cult to investigate due
for investigators to gather user speci�c informa-
to its limited lifespan and shifting end points, it
5
visited). Any element can be added to the array through a Drag and Drop (DnD) functionality or �les can be added though a �le browser interface. The actions available by default are:
copy:
A copy of the source item may be
made at the new location.
move: An item may be moved to a new location.
link: A link may be established to the source at the new location.
copyLink: A copy or link operation is permitted.
copyMove: A copy or move operation is permitted.
linkMove: A link or move operation is permitted.
Figure 1: The Basic HTML5 Data Transfer Pro-
all: All operations are permitted.
none: The item may not be dropped
cess if the element added to the array is a �le then the element is passed to a
FileReader
ob-
still requires software installation and additional
ject that copies the data contained in the �le
support services in the form of the Tor Browser.
to
These requirements allow for several methods of
ing on the settings of the web application.
access control such as a security policy blocking
cal Storage is shared across all browser sessions
local services attempting to communicate on port
currently active, session storage is only avail-
9159 and 9051, the default Tor Control Ports. On
able to the owning application or window (for
an application level local, group or layer 7 �rewall
browsers with multiple tabs or windows).
policies can block
tor.exe
or
onionshare.py
localstorage
or
session storage
dependLo-
This
local/session storage behaves very similarly to
based on path or �le hash without undue inter-
the standard cookie storage but with hugely in-
ruption to normal user network usage.
creased capacity. ( 5MB for Chrome, Firefox and
4.1 Basic HTML5 File Transfer
Opera, 10MB for Internet Explorer - DnD native is only available in version 9+ of IE - web storage in version 8+, and 25MB for Blackberry).
Basic HTML5 File transfer as depicted in Fig-
For basic data transfer, the
ure 1 is accomplished using native browser APIs
data transfer
Filereader
reads
ob-
the entire �le indicated into RAM for process-
ject. This object consists of a customizable array
ing. Once stored in web storage a �le can only
that allow a user to utilize a of
key:value
pairs that represent a group of �le
be accessed by local actions that have permis-
objects. This associative array is then accessible
sion to access that web storage area such as client
by client side scripts run from a web page or web
side scripts downloaded from the controlling web
application.
These scripts must �rst be down-
page or session. These scripts can use any script-
loaded and allowed to run by the local user (this
ing language but usually JQuery, JavaScript or
depends on the trust setting for the website being
AJAX. The local client can also call scripts to
6
communication is displayed alongside the newer WebRTC method.
Both systems start with es-
tablishing a signaling and control path to handle non-sensitive data such as connection auditing packets.
In VOIP, the data stream would
follow this established path and tra�c between Client A and Client B involving relay through Relays 1 and 2. Unless the user fully trusts both relays and the security of the network path between each node on the network, there is a risk of an adversary eavesdropping on the data stream and either manipulating the content in transit or Figure 2:
capturing it for o�ine inspection.
Traditional VOIP Data vs DTLS-
SRTP
5.
ANALYSIS OF EXISTING
run on the remote server in order to pass vari-
SERVICES
ables or prepare for the establishment of addi-
Services such as those presented in Table 1 are a
tional sessions are required.
sample set of HTML5 and WebRTC based �le
4.2 Cryptographically enhanced HTML5 data channels
transfer utilities.
of these applications appear to be homogenous closer examination shows important di�erences
Following on from their acquisition of ON2 in
in both capabilities and requirements.
February 2010, Google continued to develop a
low usage without local installation or some form
was made open source in 2011 when it was
of authentication. Of these, JustBeamIt is based
adopted by W3C as a standard for HTML5.
on basic HTML5 �le transfer while Sharefest uti-
The protocol, which supported Real Time Com-
lizes WebRTC. While Sharefest purports to o�er
munication between browsers was released as
persistent storage, it does so by virtue of its dis-
was developed to provide P2P
tributed organization.
voice, video and data transfers between browsers without
an
additional
software
Of the
services listed, only Sharefest and JustBeamIt al-
browser to browser data transfer protocol, which
WebRTC 1.0,
While at �rst glance many
Storage is only available
as long as at least one share member is online.
requirements.
While many of the services do not provide en-
WebRTC, provides a collection of protocols and
crypted �le transfer, the threat posed lies in the
methods as well as a group of codec libraries that
fact that any illegal or illicit data transfer can be
can be accessed via a JavaScript API.
di�cult, if not impossible, to di�erentiate from
WebRTC improved data transfer over the stan-
standard web tra�c.
dard HTML5 script based method by introducto end encryption. This is accomplished through
5.1 HTML5 Enabled Peer-to-Peer Transfer
the use of Datagram Transport Layer Security
This section examines a number of HTML5 en-
(DTLS) Modadugu and Rescorla [2004] exten-
abled P2P transfer sites and describes their op-
sion to handle key exchange for the Secure Real-
eration.
ing data integrity, source authentication and end
time Transport Protocol (SRTP). The use of
5.2 Sharefest
DTLS-SRTP di�ers from standard VOIP encryption by removing the need to trust SIP relays
Sharefest.me
that form the path between the source and des-
based website that aims to dynamically gener-
tination.
ate and maintain �le-sharing swarms by con-
is
a
�le-sharing
�one-to-many�
necting peers that are interested in sharing the
In Figure 2, the standard VOIP method of
7
In�nit Any Send Rejetto QikShare
Anonym ity Mobile Compa tibility Persist ent Sto rage Relay S erver
tion tion Op
ation R e
quired
HTML 3 3 3 3 3 7 3
Applica
Transfer Big Files
3 7 3 3 3 7 7
Registr
JustBeamIt
Based
nsfer ted Tra Sharefest
Encryp
Service Name
7 7 3 3 3 3 3
7 7 7 3 3 3 7
7 7 7 7 7 7 7
7 3 3 7 3 7 3
3 7 3 3 3 3 3
3 7 3 3 7 3 3
Table 1: Comparison of Browser Based Transfer Services
cess is quite straightforward in design.
The
sharefest.me server acts as a transfer control server that records all �les being o�ered for sharing and matches the resource to the client system request.
In the scenario depicted, Client
A has a complete �le that it wants to share. Client A connects to the Sharefest server at
https://www.sharefest.me/
over port 443 and
negotiate TLS1.2 where possible using SPDY if available for web content transfer.
Given a
full range of options the Sharefest server negotiates the use of the ECDHE-ECDSA with AES
128
and
GCM
256.
As
required
by
the IETF RFC 4492 (http://tools.ietf.org/
html/rfc449),
Figure 3: Sharefest P2P Mesh over WebRTC
the Sharefest server passes the
curve details as part of its same data.
packet.
Like the BitTorrent protocol, mul-
Once a secure path is established the server
tiple peers are utilized simultaneously to trans-
delivers a small set of helper scripts to the client:
fer portions of the data thus increasing download speeds by avoiding the bottleneck that is the
lower upload speed of a standard ADSL Internet connection.
serverkeyexchange
�les.js : a script to gather �le details from the client
In order to achieve this, Sharefest
is built on Peer5's (https://peer5.com/) plat-
ui.js :
a script to control the update and
form for a distributed Internet, a P2P data trans-
display of the �le management interface on
fer mesh network that utilizes the capabilities of
the page.
the browser without additional plugins beyond a WebRTC capable browser.
Once a �le has been selected for sharing the Sharefest server assigns a code value in the form
As depicted in Figure 3, the Sharefest pro-
8
https://www.sharefest.me/ 67509cb244257b6643540dda512f8171 where the
tion of a personal server. Peer5 also provide the
of a URL such as
API key for free to anyone interested in the code.
number after the domain name is the swarmID
This means that any IP or URL could become a
for this �le. The SwarmID has 32 characters but
Sharefest server.
is not based on the MD5 of the �le, instead it ap-
One method of detecting the use of this ap-
pears to be derived from the Sharefest crypto.js
plication is the STUN tra�c generated once
script which incorporates SHA3 in a lengthy cal-
a
culation. The swarmID is deterministic meaning
ated. In testing an average of 5 STUN negotia-
that any client sharing the same �le will identi-
tion/con�rmation exchanges were recorded every
�ed with the same swarmID.
second depending on the level of �le transfer data
peer
is
identi�ed
and
connection
is
initi-
Once clients o�ering and requesting the same
passing between the peers. This level of �noise�
�le or �le set are identi�ed the Sharefest server
would make the user of Sharefest relatively easy
acts as a central tra�c control and initiates a
to discover and no e�ort is made to obfuscate the
STUN connection directly between the partici-
communicating peers.
In Figure 3, Clients A, C and
In an attempt to determine if this lack of
D are all participating in the swarm for File 1,
anonymization could be overcome, we attempted
but Client B is not involved.
to run Sharefest through a Tor circuit but both
pating clients.
The STUN con-
nection consists of each pair of clients issuing
transfer
BIND requests from uploader to downloader us-
failed to complete the initial negotiation with
utilities
(JustBeamIt
and
Sharefest)
ing STUN over UDP which allows each host to
the relevant server.
discover its own public facing IP address in or-
Browser installed on a Windows 7 VMWare im-
der to create end to end connections through a
age.
NAT gateway or �rewall.
This was tested using Tor
A possible alternative may be to attempt
Each BIND / Con-
the use of a SOCKS aware proxy to direct the
�rm pair is re-issued on a regular, short, interval
tra�c to and from the application. Alternatively
to ensure the connection remains intact.
Once
a server running Sharefest could be adapted to
the STUN session is active the two peers nego-
run as a Tor Service but this would not alleviate
tiate a WebRTC session and switch over to the
the lack of privacy experienced once data transfer
protocol's encryption.
was initiated between peers.
ACK and STUN con�r-
5.3 Transfer Big Files
mation messages continue to be sent to and from the Sharefest server and the peers throughout the Transfer
exchange. Sharefest is an example of P2P privacy in a dis-
on the user's account type.
ferred without risk of interception. This level of
(TBF) o�ers
https:// drag
and
At the most basic
free account level, the limit is 100mb per �le
privacy comes at a cost though as the ability of
totalling up to 20gb of �les awaiting transfer
IT security to inspect the tra�c is greatly di-
at any one time.
minished with the level of encryption in use at
Files are held by the server
for a default of 5 days before they are removed.
Packet analysis can
While this service does o�er HTML5 drag and
detect the IP addresses in use but without ac-
drop upload capability, it is not a true P2P
cess to the key to decrypt the tra�c the content
application in that it does not transfer directly
being transferred is extremely di�cult to determine.
�les
drop transfer of �les with size limits dependant
tributed network ensuring that data can be trans-
all stages of the transfer.
Big
www.transferbigfiles.com/
from one local peer to one or more remote peers.
One option available to network admins
Some features of TBF include:
is to block the use of the sharefest.me service by
blacklisting the URL. This would have the ef-
senders must have an account to avail of
fect of preventing casual usage of the service but
the service. This account requires a name,
the source for Sharefest is publicly available on
email address and a password though of
https://github.com/Peer5/Sharefest
note, there is no veri�cation of any of these
Github
�elds
along with instruction and support for installa-
9
Recipients can either have their own account or can be sent a shortened URL alias link
the variables and de�nes the communication
with the domain tbf.me and a short code for
functions
the �le itself
The
initial
big�les.com
DNS
lookup
resolves
to
for
an
BrowserDetectUtility.js - determines if the user browser can properly support HTML5
Transfer-
IP
data transfers
address
69.174.247.183 - a server hosted in the US
JustBeamIt.js - the base script that sets up
FileHandler.js - manages the transfer to and
This account server negotiates TLS 1.0 as
from the �le array.
part of the initial handshake
set and webpage noti�cations if the array is
Handles the array re-
emptied. File
upload
prompts
DNS
lookup
of
0storageuk4.transferbig�les.com
and
1storageuk4.transferbig�les.com
which
both
resolve
to
83.222.233.155
(a
UploadManager.js - de�nes the drag and drop actions and de�nes the �landing zone�
server
group hosted in the UK)
UploadHandler.js - Determines if the Client needs to use XMLHttpRequest (XHR) or
once uploaded the �les remain on the storage
FORM based uploading and generates the
servers until picked up by the receipient who
QRCode.
must be noti�ed separately
and
UploadHan-
dler.FORM.js - the actual uploading scripts
File download is performed from one of the tbfuk4.transferbig�les.com group servers
There is an option to drag and drop a �le into
over standard HTTPS.
UploadHandler.XHR.js
the browser but in this instance the �le browser
TBF also o�ers an application and a com-
is used to select a �le from the local user pictures
mand line client with enhanced capabilities
folder.
over the browser based interface but this is
is clicked and the link
beyond the scope of this paper
Once selected the button �Create Link�
http://www.justbeamit
.com/di33x
is created along with a QRCode for
mobile use.
This link can copied and sent to
It is worth noting that while this transfer ser-
the receiving system, in the meantime the lo-
vice is just standard HTTPS and so will be dis-
cal client is redirected to a relay server URL for
covered by standard forensic practices, if the
the upload itself (http://b1.justbeamit.com/.
username and password can be recovered, the
On the remote system, the URL is pasted into
site's account activity summary contains a full
a browser and the system and the remote client
http://www.justbeamit.com and immedi-
activity log of all �les uploaded including when
loads
the transfer was started and when the recipient
ately requests the download token for the �le
collected the �le as well as the recipient's account
ID
name.
JavaScripts.
di33x
and downloads and runs the set of The server passes along the token
5.4 JustBeamIt
along with the current download status (upload
An example of a basic HTML5 transfer applica-
tension). Once the remote user clicks on the link
waiting) and the �le descriptor (name, size, ex-
tion is the �le transfer service o�ered at
www.justbeamit.com.
http://
to download the browser is redirected to
b1.justbeamit.com
The sending user con-
8080
http://
where the �le transfer is
(alternate
performed. Once complete the local user is no-
HTTP port) and performs a standard TCP hand-
ti�ed that the transfer has been successful. The
nects to the server over port shake followed by a series of
HTTP GET
token used to download is now invalidated and
requests
a new link must be generated if the �le is to
for client side JavaScripts.
10
be shared again.
part of the URL used. From here it is a standard
Similarly, there is a 1000 sec-
ond timeout period during which the shared �le
HTTPS
must be downloaded before the opportunity ex-
and the download URL will re�ect the anysend
pires and a new share token must be generated.
server url as well as the full �lename of the �le with
While this method of �le transfer provides ease
term
from
the
anysend
servers
�%20via%20AnySend.exe�
ap-
http://www.anysend.com/dl.php ?data=7f234e0920d8424833f97d3ab9380883\ ...\&fn=orientdb-community-2.0.4\ %20via\%20AnySend.exe\&packageID= ED59EE58A0380BBDB197A88F8290BDDE pended.
of use to the end user, all transfers are performed via unencrypted tra�c.
the
download
The data being trans-
ferred is susceptible to any form of eavesdropping capable of detecting tra�c on any network segment the tra�c passes through. The open nature
eg:
of the transfer and the client side execution of
6.
scripts (as well as the open exchange of tokens) allow for trivial man-in-the-middle (MITM) at-
FORENSIC
CONSEQUENCES OF
tacks where an adversary capable of eavesdropping can use a proxy or other interception utility
�UNTRACEABLE� FILE
to alter the packets in transit. One possible sce-
TRANSFER
nario would be the substitution of a harmless Up-
The facilitation of �untraceable� or �anonymous�
loadManager.js script for something less benign
�le exchange can lead to a number of potential
as identi�ed by Jang-Jaccard Jang-Jaccard and
malicious use cases. For each of the scenarios out-
Nepal [2014] as a rising risk or, even exchanging
lined below, an added dimension can be created
the generated download token for one that leads
by the originator of the content: time.
to a virus or other form of malware. From a security standpoint, defense against
cess to any piece of content, the timeframe where
the use of this service is quite straightforward.
evidence may be recovered from remote sharing
Because of the application's use of a centralized
peers might be very short.
set of servers, a standard �rewall rule to block access to
http://*.justbeamit.com
6.1 Cybercriminal Community Backup
would pre-
vent any upload but also any attempt to download.
Unmonitored covert transfer could be used to cre-
5.5 Any Send Any Send
Due to
the ability to create �one-time� or temporary ac-
http://www.anysend.com/
ate a �share and share alike� model for the remote encrypted backup of illegal content. The sharing is a web
of these backups onto multiple remote machines
based �le transfer utility that o�ers a pure web
e�ectively could provide the user with a cloudless
based alternative to its own downloadable appli-
backup solution requiring minimal trust with any
cation. The web page anysend.com resolves to a
remote users. The encryption of the data before
set of four IP addresses divided between Utah
distribution to the community can ensure that
and Texas and all registered to clickmein.com.
only the owner will ever have access to decrypt
The webpage consists of a large background
the data. Trust only comes into play should the
image and a single �dropzone� for �les to be sent.
remote nodes delete the information or it other-
On dropping a �le, the background javascript
wise becoming unrecoverable.
helpers manage the �le upload to their servers.
Having a secure,
encrypted connection to a remote backup might
Once uploaded the user is presented with a URL
be desirable to cybercriminals enabling the use of
to send to the recipient. The URL is comprised
a kill-switch to their local storage devices should
of the anysend.com domain and a �le identi�er
the need arise.
generated by the server (a 32 character string).
6.2 Secure Covert Messaging
Once the recipient enters the URL into a browser they are taken to an anysend.com page with
For example,
details of the �le corresponding to the �leID
the BitTorrent Sync Protocol found at
11
the proof of concept based on
http://
missiv.es/.
6.5 Alternative to Server Based Website Hosting
The application currently operates
by saving messages to an �outbox� folder in a synchronized share between peers that has a read
This scenario involves the creation of static web-
only key shared to the person you want to re-
sites served through a shared archive. These web-
ceive the message. They in turn send you a read only key to their outbox.
sites could be directly viewed on each user's lo-
One to many can be
cal machine facilitating the easy distribution of
achieved by sharing the read only key with more
any illegal material. The local copies of the web-
than one person but no testing has been done
site could receive updates from the �webmaster�
with synchronization timing issues yet and key
through the extraction of archived updated dis-
management may become an issue as a new out-
tributed in a similar manner as the original.
box would be needed for each private conversation required.
7.
6.3 Industrial Espionage
POTENTIAL FORENSIC INVESTIGATION TECHNIQUES
Many companies are aware of the dangers of allowing unmonitored tra�c on their networks.
Assuming access (physical or remote) can be ac-
However, quite often corporate IT departments
quired to either end of the �le transfer, then a
enforce a blocking of P2P technologies through
live acquisition of the evidence should be attain-
protocol blocking rules on their perimeter �re-
able.
walls. This has the e�ect of cutting o� any �le-
fact would rely on traditional hard drive and
sharing clients installed on the LAN from the
memory forensic techniques to see if any rem-
outside world.
nants of the network communication remain.
In addition to Deep Packet In-
Performing evidence acquisition after the
spection (DPI) to investigate the data portion of
The investigation of the unauthorized trans-
a network packet passing the inspection point,
fer for information through one of these ser-
basic blocking of known IP address blacklists
vices without access to either end of the transfer
in �rewall rulesets can be used.
The di�culty
can prove extremely di�cult. Assuming through
in blocking HTTP based �le transfers is that
some external means, the precise date and time
the technology is likely used during regular em-
of the transfer were discovered. The only method
ployee Internet usage.
HTTP transfers can be
available to law enforcement is to e�ectively wire-
used when emailing �le attachments or adding
tap the transfer by running a software or hard-
items to content management system. One addi-
ware based deep packet inspection tool on the
tional scenario where these services could be used
network at either end of the transfer.
would be to transfer �les within a LAN and sub-
To date there has been keen interest in re-
sequent external ex�ltration from a weaker/less
search performed on the forensic examination
monitored part of the network, e.g., guest wire-
of �le sharing utilities and the type of security
less access.
risks they pose. Chung et al. [2012b] outlined a best practice approach to the investigation of �le
6.4 Piracy
sharing using cloud based Storage-as-a-Service (StaaS) utilities such as Dropbox, iCloud and
Like any other P2P technology, the ability to
OneDrive.
transfer �les in a direct manner from peer to peer
Cloud Data Imager (CDI) a utility developed to
lends itself well to the unauthorized distribution
automate the retrieval of cloud based storage ar-
of copyrighted material.
tifacts from a suspect system and use these cre-
The sharing of copy-
In 2014, Federici [2014] presented
dentials to access their secure storage online.
righted multimedia, software, etc., between peers using these covert services is less likely to lead to
Scanlon et al. [2014] described a methodology
prosecution compared with public piracy on open
that leveraged the processes used by persistent
�le-sharing networks such as BitTorrent.
�le synchronization services to ensure data in-
12
tegrity to retrieve data that would otherwise have
of both time and money for law enforcement
been inaccessible. This could be as a result of de-
to comprehensively investigate and mitigation of
liberate obfuscation such as encryption or anti-
the risk by way of security policies or hardware
forensic activities or it could be caused by an
and software based rulesets may come at a price
error in the imaging process. The methodology
in terms system usability that will be deemed too
presented utilized the need for synchronization
high.
8.1 Future Work
group ongoing communication to enumerate remote peers and to identify any authorized peers
As privacy becomes easier for the end user to
that could provide a forensically true copy of the
accomplish, the role of forensics will become all
suspect data.
that much harder as not even the �low hanging
Emerging �le transfer utilities, such as the
fruit� of browser history can be expected as a
purely browser based �le transfer utilities based
starting point. Additionally, system security will
on WebRTC, do not advertise persistence of
no longer be able to react as this may already be
availability nor integrity checking beyond the ini-
too late. As a future developement in forensics
tial transfer and in many cases are only associ-
there is clear potential for utilities and techniques
ated for the length of time that both parties are
to be developed to help bridge the gap between
online and in communication, directly or otherwise.
proactive security abnd reactive forensics. Some
After this time, such as with Onionshare
areas of interest are
for example, the address of the �le source will
change completely and no longer be available to any peer authorized or otherwise.
Detection
of
HTML5
and
WebRTC based Data Ex�ltration.
This ephemeral nature of data transfer can
make any attempt to verify or re-create the cir-
Approximate Hashing Signatures � Approximate hashing facilitates the analysis of net-
cumstances of the �le transfer di�cult if not im-
work tra�c as it could be applied to recog-
possible and it very much depends on the features
nise variations on patterns speci�c to proto-
of the individual application being employed.
8.
Automated
cols and their timings used in HTML5 and WebRTC
CONCLUSION
The evolution of online �le transfer systems is
Forensic analysis of P2P over anonymizing networks. Perhaps a lack of a footprint can
becoming more and more covert through em-
be proven to be a footprint in and of itself
ploying encryption-based, server less, P2P proto-
in a networking environment.
cols. The development of HTML5 and JavaScript based
services
proves
particularly
REFERENCES
interesting
from a digital forensic perspective. As these tech-
Stevens Le Blond, Pere Manils, Chaabane
nologies mature, a future can be easily envisioned
Abdelberi, Mohamed Ali Dali Kaafar, Claude
whereby the investigation and evidence retrieval
Castelluccia, Arnaud Legout, and Walid
from these systems will prove extremely di�cult, if not entirely impossible.
Dabbous. One bad apple spoils the bunch:
Daisy-chaining
exploiting p2p applications to trace and
a number of the technologies outlined in this pa-
pro�le tor users. arXiv preprint
per has the potential to enable malicious users to
arXiv:1103.1518, 2011.
securely transfer any desired information to another user/machine without arousing suspicions
Daryl; Bogaard, Daniel; Johnson and Robert
of system administrators. Identifying the use of
Parody. Browser web storage vulnerability
a HTTPS, browser-based P2P �le transfer with
investigation: Html5 localstorage object. In
relatively small transfer sizes might prove pro-
Proceedings of The 2012 International
hibitively di�cult.
Conference on Security and Management,
The investigation of these
2012.
transfers may prove cost prohibitive in terms
13
Shields. Ip covert channel detection. ACM
http://www.sciencedirect.com/ science/article/pii/S0022000014000178.
Transactions on Information and System
Special Issue on Dependable and Secure
Security (TISSEC), 12(4):22, 2009.
Computing The 9th {IEEE} International
URL
Serdar Cabuk, Carla E Brodley, and Clay
Conference on Dependable, Autonomic and
Hyunji Chung, Jungheum Park, Sangjin Lee,
Secure Computing.
and Cheulhoon Kang. Digital forensic
Yali Liu, Cherita Corbett, Ken Chiang, Rennie
investigation of cloud storage services. Digital Investigation, 9(2):81 � 95, 2012a. ISSN
Archibald, Biswanath Mukherjee, and Dipak
1742-2876.
Ghosal. Sidd: A framework for detecting sensitive data ex�ltration by an insider
Hyunji Chung, Jungheum Park, Sangjin Lee,
attack. In System Sciences, 2009. HICSS'09.
and Cheulhoon Kang. Digital forensic
42nd Hawaii International Conference on,
investigation of cloud storage services. Digital
pages 1�10. IEEE, 2009.
investigation, 9(2):81�95, 2012b.
Karsten Loesing, Steven J Murdoch, and Roger Vicka Corey, Charles Peterman, Sybil Shearin,
Dingledine. A case study on measuring
Michael S Greenberg, and James
statistical data in the tor anonymity network.
Van Bokkelen. Network forensics analysis.
In Financial Cryptography and Data Security,
Internet Computing, IEEE, 6(6):60�66, 2002.
pages 203�215. Springer, 2010.
Corrado Federici. Cloud data imager: A uni�ed
Ben Martini and Kim-Kwang Raymond Choo.
answer to remote acquisition of cloud storage
Cloud storage forensics: owncloud as a case
areas. Digital Investigation, 11(1):30 � 42,
study. Digital Investigation, 10(4):287 � 299,
2014. ISSN 1742-2876.
2013. ISSN 1742-2876.
http://dx.doi.org/10.1016/j.diin.2014.02.002.
http://www.sciencedirect.com/ science/article/pii/S174228761400005X.
Nagendra Modadugu and Eric Rescorla. The
URL
design and implementation of datagram tls. In NDSS, 2004.
Simson Gar�nkel. Network forensics: Tapping Mark Scanlon, Jason Farina, Nhien-An
the internet. IEEE Internet Computing, 6:
Le Khac, and M-Tahar Kechadi. Leveraging
60�66, 2002.
Decentralisation to Extend the Digital Annarita Giani, Vincent H Berk, and George V
Evidence Acquisition Window: Case Study on
Cybenko. Data ex�ltration and covert
BitTorrent Sync. Journal of Digital
channels. In Defense and Security
Forensics, Security and Law, pages 85�99,
Symposium, pages 620103�620103.
September 2014.
International Society for Optics and
Taeshik Sohn, JungTaek Seo, and Jongsub
Photonics, 2006.
Moon. A study on the covert channel
Michael Herrmann and Christian Grotho�.
detection of tcp/ip header using support
Privacy-implications of performance-based
vector machine. In Information and
peer selection by onion-routers: a real-world
Communications Security, pages 313�324.
case study using i2p. In Privacy Enhancing
Springer, 2003.
Technologies, pages 155�174. Springer, 2011.
Juan Pablo Timpanaro, Isabelle Chrisment, and Olivier Festor. Group-based characterization
Julian Jang-Jaccard and Surya Nepal. A survey of emerging threats in cybersecurity. Journal
for the i2p anonymous �le-sharing
of Computer and System Sciences, 80(5):973
environment. In New Technologies, Mobility
� 993, 2014. ISSN 0022-0000.
and Security (NTMS), 2014 6th International
http://dx.doi.org/10.1016/j.jcss.2014.02.005.
Conference on, pages 1�5. IEEE, 2014.
14
![HTML5 Zero Configuration Covert Channels: Security Risks and ... [PDF]](https://m.moam.info/img/260x300/html5-zero-configuration-covert-channels-security-_647d39ff098a9ece058b469e.jpg)
