What does hax0r unit mean when hacking

Alexander Geschonneck ix-edition



2 computer forensics

3 Alexander Geschonneck heads the Forensic Technology division as a partner at KPMG AG Wirtschaftsprüfungsgesellschaft. His main focus is the securing and analysis of digital evidence in the context of the fight against corruption and fraud as well as the investigation of IT security incidents. Before that, he was a senior security consultant and partner at HiSolutions AG in Berlin and a senior manager at Ernst & Young AG, where he headed the Forensic Technology & Discovery Services division. Since 1993 he has worked across industries in the strategic and operational IT security environment. Alexander Geschonneck is co-author of the IT basic protection catalogs of the Federal Office for Information Security (BSI). Since 2002 he has been a licensed IT baseline protection auditor and ISO27001 auditor on the basis of IT baseline protection. He studied business informatics in Berlin with a focus on information security. On his private homepage you can find further publications on topics of computer forensics and general IT security. Alexander Geschonneck is a Certified Fraud Examiner and Certified Information Systems Auditor. ix-edition The ix-edition publishes titles that have been selected and designed by dpunkt.verlag together with the editors of the computer magazine ix. The main focus of this series is software and web development as well as administration and IT security.

4 Alexander Geschonneck Computer Forensics Recognize, investigate and investigate computer crimes 5th, updated and expanded edition

5 Alexander Geschonneck Editing: René Schönfeldt Copy-Editing: Ursula Zimpfer, Herrenberg Production: Nadine Thiele Author's photo: Markus Vogel Cover design: Helmut Kraus, printing and binding: M.P. Media-Print Informationstechnologie GmbH, Paderborn Bibliographic information from the German National Library The German National Library lists this publication in the German National Bibliography; detailed bibliographic data are available on the Internet at. ISBN: Book PDF epub, updated and expanded edition 2011 Copyright 2011 dpunkt.verlag GmbH Ringstrasse 19 B Heidelberg This publication is protected by copyright. All rights reserved. The use of the texts and images, even in extracts, is contrary to copyright law and is therefore punishable without the written consent of the publisher. This applies in particular to the reproduction, translation or use in electronic systems. It should be noted that the software and hardware names used in the book as well as brand names and product names of the respective companies are generally subject to trademark, trademark or patent protection. All information and programs in this book have been checked with the greatest care. Neither the author nor the publisher can, however, be held liable for any damage arising in connection with the use of this book

6 v Table of Contents Introduction 1 Who Should Read This Book? What do you learn in this book? What do you not learn in this book? How do you read this book? What's new in the 5th edition? Threat situation Threat and probability Distribution of risk Motivation of the perpetrators Internal perpetrators vs. external perpetrators Confirmation through statistics? Computer crime Course of attacks Typical attack course Example of an attack Incident response as the basis of computer forensics The incident response process Organizational preparations Composition of the response team Incident detection: discover system anomalies Incident detection: an incident is reported Security incident or operational disruption?

7 vi Table of contents 3.7 Choice of response strategy Reporting and maneuver criticism Introduction to computer forensics Objectives of an investigation Requirements for the investigation process Phases of investigation The S-A-P model Which findings can be gained? How do you handle evidence correctly? Back up volatile data: Save immediately Back up storage media: Forensic duplication What should be secured? First Steps on a System for Ensuring Merging Exam Results Common Mistakes Anti-Forensics Introduction to Post-Mortem Analysis What Can Be Analyzed? Analysis of the File Slack Timeline analysis NTFS streams NTFS TxF NTFS volume shadow copies Windows registry Windows UserAssist Keys Windows Prefetch files Swap files Recover hidden files Recover files or fragments Analyze unknown binary files System logs Analyze network recordings

8 Table of contents vii 6 Overview of forensics and incident response toolkits Basic information on using the tool Secure examination environment F.I.R.E Knoppix Security Tools Distribution Helix ForensiX-CD C.A.I.N.E. and WinTaylor DEFT and DEFT-Extra EnCase dd Forensic Acquisition Utilities AccessData Forensic Toolkit The Coroner's Toolkit and TCTUtils The Sleuth Kit Autopsy Forensic Browser Create your own toolkits for Unix and Windows Forensic analysis in detail Forensic analysis under Unix Forensic analysis under Windows Forensic analysis of mobile Devices Forensic analysis of routers Recommendations in the event of damage Log book Backtracing Check IP addresses Spoof detection Validate routes Nslookup Whois header

9 viii Contents 10 Involvement of the authorities Organizational preparatory work Criminal law procedure Civil law procedure Presentation to the public The evidence situation in private investigations Conclusion Appendix 337 A Tool overview 339 B C.A.I.N.E. tools 347 C DEFT tools 355 Recommended literature 359 Index 361

10 1 Introduction "I need information, Watson!" Security in information technology is a growing problem. Of course, this does not mean security as such, but the threat to security that arises from ignorance, negligence or willful misconduct. Almost every organization is dependent on it due to the massive use of information technology. Computer systems today contain more and more compressed data that is necessary for the smooth running of business and work processes. This dependence on information technology makes the affected facilities an ideal target for attackers and troublemakers. The security officers have meanwhile convinced the decision-makers in the companies that firewall systems enable reasonably secure communication scenarios with certain network interfaces. After this approach did not always appear to be consistently feasible, especially with increasingly complex application structures, intrusion detection systems (IDS) were often installed in a further step; they are supposed to detect attacks that cannot be prevented with firewalls. So today it's no longer just about preventing a security problem from occurring. Rather, it is about being able to intervene even if the first protective mechanisms have been overcome by an attacker: A security incident that is currently in progress or has already occurred must be reliably detected, its effects must be effectively contained, and sufficient information should be collected in order to to enable a meaningful investigation of the perpetrators later. In most cases, therefore, combined countermeasures are necessary in order to react to security incidents. This also includes the so-called firewalls and intrusion detection systems forensic investigations

11 2 Initiation of forensic 1 investigations. They usually take place when there are serious indications of attacks that have taken place or that are currently in progress or other criminal acts on your own system landscape. The term computer forensics or digital forensics has established itself in recent years for the detection and investigation of criminal offenses in the field of computer crime. Based on the general explanation of the Latin word forensics, computer forensics is a sub-area that deals with the detection and clarification of criminal acts, e.g. B. employed by analyzing digital traces. Who Should Read This Book? Administrators Security and IT Managers Almost every organization has been confronted with the question of a successful system break-in, and private individuals who connect their PC to the Internet can also become victims of an attack. But very few are prepared for it. If you want to avoid security problems or determine whether other systems in your own environment have been attacked, it makes sense to conduct forensic investigations. The aim here is to find out, among other things, whether an attacker was really successful, which route he took and which system gaps could have led to this break-in. The Internet and current IT publications are full of tips and tricks for securing systems and communication channels, many things are implemented by the administrators, but break-ins still occur. This book is also intended to give the technically experienced administrator an initial overview of which measures are useful and which tools and methods are available to them. Most of the technical contexts are already familiar to this group of people from their daily work. In practice, however, it can often be observed that in the specific handling of security incidents, ignorance often prevails and mistakes are made. This group of readers is taught the basics and background information on the detection and analysis of system break-ins. You will also learn interesting facts about working with investigative authorities. Readers who do not have an intensive technical background, but who are capable of creating instructions and guidelines 1. Forensic [Latin]: judicial or forensic; z. B. also forensic medicine, forensic psychology

12 Who Should Read This Book? If you are never responsible, you can gather further knowledge about the possibilities of computer forensics and incident response 2 here. These findings can form the basis for your own concepts for handling security incidents. Furthermore, this group of readers learns which skills (»skill profiles«) and organizational framework conditions are necessary for their own investigation teams. This book should also be read by law enforcement investigators who want to better understand and evaluate the tools and methods used to collect and analyze evidence. An eye for the technical possibilities during the investigation helps to better assess the procedures used or the traces of evidence found and their limits. Knowing how the traces are found and what they actually say can be very helpful for later assessment. All of the above-mentioned groups of readers receive an overview of the methods for identifying and searching for clues after system break-ins. The IT specialists will certainly be able to gain more interesting and new knowledge in the area of ​​the correct handling of evidence and the decisions on further legal prosecution. Prosecutors will appreciate the overview provided here of the technical possibilities for obtaining evidence. Even if the primary focus of this book seems to be on attacks on IT systems, it is important to understand that the methods and procedures described here are often used when offenses in the field of white-collar crime are to be investigated. As the reader will quickly notice in later chapters, the procedure for collecting or analyzing digital traces after a server break-in does not differ much from the procedure that is necessary after exploiting security and configuration gaps in an internal mail or accounting system . If an ordinary criminal uses information technology systems such as a PC, PDA or mobile phone, the digital traces located there must also be saved, analyzed and documented. To understand this book better, the reader should have a basic understanding of basic security technologies such as firewalls, intrusion detection systems, and encryption. Moving around on the command line without errors can facilitate access to some of the technical details presented in some places, but it is not absolutely necessary to understand the basic problem. Prosecutors and investigators Auditors and fraud investigators Technical requirements 2. Response or reaction to a (security) incident

13 4 Introduction If in doubt, consult experts! Likewise, a lack of Windows knowledge should not prevent the reader from getting an overview of the possibilities Windows-based tools can offer. It is important to point out to the author that in the event of improper use, important evidence may be destroyed or your own system may be rendered completely unusable. If in doubt, experts should definitely be consulted. Even if you cannot carry out the activities discussed in this book yourself, the knowledge you have acquired still offers the opportunity to get an overview of the available methods and to better evaluate the meaningfulness of the results of tool-based investigations. This can be helpful if an investigation report has to be examined or the opportunities and risks of a possible investigation have to be weighed up. What do you learn in this book? Main focus: system break-ins In this book, partial aspects of system or computer break-ins and the problems involved in determining them are examined in more detail. The further areas of computer crime such as computer fraud or deception in legal transactions when using data processing or falsifying evidence-relevant data are only mentioned to clarify the relevance of the topic. This is due to the fact that computer forensics is often difficult to define. The basic information required for the legal assessment of "classic" offenses is also valid in the world of computer forensics: Who, what, where, when, with what, how and why is looking for evidence, recognizing, evaluating it is possible The priority here is to obtain evidence that is meaningful enough so that the subsequent steps can be decided on in a prudent manner. This book shows where to look for evidence, how to recognize it, how to evaluate it, and how to make it usable in court. What do you not learn in this book? No IT fundamentals, no special security technologies, no legal details. This book does not provide the essential fundamentals of the subject areas of IT security nor complete and conclusive information about the functionality and effectiveness of firewalls, intrusion detection systems or other security technologies. Likewise, this book will not meet the requirements of a legal

14 How do you read this book? 5 depth works. There is already excellent standard literature on all of these areas, which deals with these topics fundamentally and often conclusively. This book cannot present in full detail all of the methods and tools that may be used. For this reason, the previously seldom presented methods are shown and the already known approaches, e.g. B. from the broad area of ​​network-based intrusion detection, further pushed into the background. However, suggestions for further research are provided at the appropriate points. Naturally, some of the organizational preparatory work mentioned in this book cannot be implemented one-to-one in your own organization, as each investigation situation can result in a different need for action. For this reason, this book is of limited use as a complete checklist. As in all areas of information technology, in the area of ​​computer forensics there is a constant further development of the technical possibilities both among the perpetrators and the investigators. Following the principle of »expect the unexpected«, only an overview of the current situation can be given here; all future developments may require different perspectives and investigative technologies. How do you read this book? In addition to the possibilities for finding traces of attack, this book also describes which technical and organizational framework conditions are essential for a successful investigation. The level of detail increases with each additional chapter. From the introductory and basic descriptions, concrete process flows and determination techniques to practical examples based on various questions and special aspects. If the reader is new to the general topic, he should read this book from front to back. If you have previous knowledge in the individual areas, one or the other chapter can certainly be read across. You can also use this book later as a reference work or source of information for individual questions. Because computer technology is often subject to rapid changes and investigation tools and methods are frequently adapted, you can find more up-to-date information on the tools presented on the homepage for this book at. Level of detail

15 6 Introduction Chapter 1 Risks and perpetrators This chapter examines the threat situation and the motivation of the perpetrators in more detail. There is also an assessment of the risk distribution among the network participants. In order to be able to better estimate the relevance for one's own environment, the reader will find helpful statistical statements in this chapter.It is therefore particularly suitable as an introduction to the topic. Chapter 2 Attack Techniques If you want to recognize traces of attack, you have to know how an attack works and which attack patterns leave recognizable traces at all. For this reason, some attack techniques are explained here. The explanations only go as far as they are necessary to understand the following chapters. There are some very interesting books that deal with attack techniques and explain them in detail. Readers who are new to intrusion detection should read this chapter. Chapter 3 Incident Response The necessary organizational preparatory work for handling security incidents and basic information about a sensible incident response procedure can be found in Chapter 3. This includes both the correct selection of the people involved in the investigation and the correct selection of the response strategy. It explains all of the important steps in security incident handling. Technicians who want to get a global view can find interesting information here. Chapter 4 Processes and methods Chapter 4 gives an overview of all the essential actions when investigating a computer break-in with all the activities to be carried out and information on how to properly secure evidence. The essential and indispensable steps and activities that are necessary to analyze a system are explained. This includes answers to questions such as: What should I do if the computer is still running? Where should one look first? What do I do with forensic duplication? What examinations can be performed on a hard drive image? How do I correctly handle evidence? And so on.

16 How do you read this book? 7 Chapter 5 This chapter is devoted in detail to the central forensic technique "post-mortem analysis". Essential questions related to the search for evidence on an attacked system are presented. The reader learns where he should look for traces, how he can evaluate them and how he can use it to better plan his investigation strategy. Reading this chapter is helpful if you want to better understand how the tools presented later work. Post-Mortem Analysis Chapter 6 This chapter explains how to work with forensics and incident response tools. The currently available tool collections are presented and their basic functions are explained. The last part in this chapter is devoted to the possibilities of putting together your own toolbox. Tools Chapter 7 The procedures presented in Chapters 4 and 5 as well as the tool collections from Chapter 6 are illustrated in this chapter using concrete examples. Typical Windows and Unix environments are discussed using typical analysis scenarios. Forensic analysis will also be demonstrated on mobile devices such as PDAs and cell phones, as well as on routers. The reader will be able to quickly see which tools are particularly suitable for which examination environment. Analysis examples Chapter 8 In this short chapter, essential recommendations are presented in the form of a best practice approach for an incident that has already occurred. These measures are suitable as a basis for creating individual instructions and should be adapted to the respective situation. Recommendations in the event of damage Chapter 9 Chapter 9 provides some tips and tricks for tracing possible suspects on the basis of the traces found. The reader will quickly see where the pitfalls lie, backtracing

17 8 Introduction if one z. B. has found an IP address in the data tracks and believes that it knows the perpetrator. This chapter can only be incomplete, but offers helpful hints for the typical traces of discovery. Chapter 10 Legal Steps If a decision on a further legal assessment should be made in the course of an investigation, Chapter 10 will help, as recommendations are given there in the event of damage. In addition to some legal terms, the advantages and disadvantages of the legal paths to be taken are explained. Since investigations into a security incident are not infrequently carried out with the intention of holding the perpetrator criminally or civilly accountable, this chapter deals with the usability of evidence in court. This chapter was created with the support of Chief Criminal Investigator Stefan Becker, clerk for computer crime at the Bonn Police Headquarters. What's new in the 5th edition? Much changes, including statistics, assessments and version numbers. Although the essence of this book has remained the same, I have made some expansions and additions. Almost all chapters have been revised and expanded. B. Windows 7 artifacts (especially the registry and file system) and advanced analysis techniques added. There are now also new Linux Live CDs available, which will also be presented. What's new in the 4th edition? The 4th edition contains a few new things. Of course, I've adapted the tool overview and added new tools. The statistics and the legal statements have also been updated. What's new in the 3rd edition? Of course, some statistics have been updated and those that are no longer maintained have been completely removed. Especially in the area of ​​tool use, a lot has happened since the last edition and it has

18 What's new in the 2nd edition? 9 also introduced new elicitation techniques for the collection and analysis of volatile data. The procedure for handling security incidents is subject to increasing standardization. This book takes this into account by describing the S-A-P model in more detail and including the corresponding recommendations of the BSI. Compared to the other forensic disciplines, computer forensics is still a very young subject. New methods of investigation are constantly being developed. Some of these have been included in this edition, such as the new approaches to main memory copy analysis. Many readers have asked for even more technical, platform-specific details. However, this book is intended to provide an introduction to the essential elicitation techniques. A deeper study of all possible platform specifics would therefore go beyond the scope of this book. However, another addition in this edition deals with the innovations that are contained in Windows Vista and its file system. Many new tracks have been added, other well-tried ones have been changed. The area of ​​analysis of PDAs and cell phones has also been significantly expanded and adapted to current technical developments. What's new in the 2nd edition? In addition to updating some statistics and the legal framework, the new functions of the tools described have been added to this edition. The changes in EnCase 5 and in AccessData FTK 1.60 were incorporated into this issue. Since the F.I.R.E. is only updated sporadically, the Knoppix-based Helix has been included as a recommendation for investigators. The section on the German tool X-Ways Forensics is also new.

19 10 Introduction

20 11 1 Threat situation At the beginning of this book we want to deal with the threat situations to which IT systems are exposed in different ways. This involves questions that relate to the selection and use of protective measures, but are also relevant to the search for perpetrators and the investigation of criminal acts: Which parts of my IT system are particularly threatened? How likely is a break-in, how great is the possible damage? Who could attack, and why? With these and similar questions, we will initially approach the topic of computer forensics from the outside in order to gain more and more depth of detail as the book progresses. 1.1 Threat and probability Threat is the potential trigger for an undesirable event that can have harmful effects on the IT system concerned or the entire organization. Companies and their IT landscapes are exposed to a wide variety of threats. Security officers must identify these threats and assess their severity and probability of occurrence. Countermeasures often only make sense after this careful assessment. The probability with which a threat will occur in the observed environment depends, among other things, on the threat, the frequency of the threat (probability of occurrence based on experience or statistics), the motivation and the required skills and resources of a potential attacker, the attractiveness and vulnerability of the IT system or its components as perceived by potential attackers,

21 12 1 Threat situation the value that the IT systems and the information stored or processed therein have for their own organization or for the attacker, and the positioning of the company or organization in public or within the political landscape (e.g. B. Law Enforcement, Administration and Political Parties). Systematics of threats An existing vulnerability alone does not cause any damage. But it is the prerequisite for a threat to lead to real damage. This results in the need for action when reducing or eliminating security risks: The security officers in the company should react immediately to weak points for which there are specific threats with appropriate organizational, personnel, technical and infrastructural measures. If there are no corresponding threats, you can live with vulnerabilities for a long time. However, it is important to recognize in good time whether and how the threat situation may change. Basically, threats can be differentiated according to their origin, the motivation of the perpetrator, the frequency of occurrence and the extent of the damage caused by their occurrence. The origin of a threat can be represented in an even finer granular manner: threat from the environment or threat from people. It is also important to distinguish whether a security incident poses an intentional or accidental human threat. When it comes to deliberate threats, we are specifically interested in internal and external perpetrators. 1.2 Risk distribution Probability of occurrence and amount of damage A risk can be described by the probability of a dangerous event and the amount of damage to be expected. These two parameters, the amount of damage and the likelihood of occurrence, should be used to assess your own risks. The risk analysis to be carried out in advance for a security concept is precisely about finding out which company values ​​could be threatened, what damage to the company values ​​in detail and for the company as a whole occurs in the event of damage, how high the probability of damage is and which weak points exist . Only on the basis of this knowledge does it make sense in most cases to implement organizational, technical, personal or infrastructural security measures.

22 1.2 Distribution of risk 13 In principle, it can be stated that with the increase in networked computer systems, the number of attacked systems has also increased. This is also because there are simply more potential targets. By networking a large number of systems via the Internet, new groups of perpetrators with a wide range of motivations move up on the playing field. The Internet, with its variety of network services, its globally standardized protocol and application structure and the associated, quite dubious design and implementation errors, contributes to the increase in risk. The probability of an attack via a network connection increases, as a result of which a significant increase in incidents can be observed over the past few years. In addition, a certain monoculture in the operating systems and applications used leads to a rapid multiplication of security problems, especially on the Internet. Vulnerabilities, e.g. B. appear when implementing a certain WWW or DNS server software, can be used immediately in all systems that use this software. It can also be observed that attack techniques are becoming more and more complex. Attacks that five or ten years ago were considered too complicated and therefore unthinkable are now used every day to break into systems. 1 attacks are increasing. Attacks are becoming more complex. Automated vulnerability scanners Anti Detection Phishing Construction Kits Hybrid multi-protocol attacks Hacker tools Fig. 1 1 Attack skills vs. required knowledge 1 Packet spoofing Knowledge required for hacking Self-propagating code Exploiting known vulnerabilities Backdoors Cracking passwords Session hijacking Deactivating audit measures Stealth scanning viruses / Trojan Construction Kits Skills Required Level Passwords Guess Tool Availability 1. Adapted from: Julia Allen, Alan Christie, William Fithen, John McHigh, Jed Pickel, Ed Stoner, State of the Practice of Instrusion Detection Technologies; Technical Report CMU / SEI-99-TR-028, Carnegie Mellon Software Engineering Institute, January 2000

23 14 1 Threat situation The American security company Symantec regularly publishes an "Internet Security Threat Report" 2. For this purpose, alarms from several hundred intrusion detection and firewall systems are analyzed. For this report, the distribution channels of malware were analyzed. Until recently it was believed that malicious code spreads almost exclusively online, but a significant increase in its spread via data carriers has now been recorded: Fig. 1 2 Spreading methods of malware from the Symantec Internet Security Threat Report Attack Trends 2010 Forms of phishing In the The trend towards so-called spear phishing attacks has increased in recent years. To explain: Phishing 3 is a method of attack in which the victim is tricked into entering their details on a trustworthy website in order to gain access to confidential information such as email addresses. B. passwords, TANs or credit card information. A Trojan is often used for this purpose, which deceptively simulates the fake website and then stores the intercepted data in the background on a so-called drop zone server. Another easy way is to host the fake website on a server and lure the victim to that server with fake s. A more recent variant of phishing is known as spear phishing (derived from the English translation of the term spear), including a 2nd Symantec Internet Security Threat Report Attack Trends for 2010, 3rd phishing is an English made-up word derived from Password Fishing ( fishing for passwords).

24 1.2 Risk distribution 15 targeted attack. Here the attacker procures z. B. the e-mail addresses of employees of a company in order to send them a targeted phishing e-mail that looks like an e-mail from a normal business partner or a newsletter for these employees. The "hit rate" of this type of phishing attack is much higher than that of normal attacks, since the probability that the employee will not become suspicious is very high. In professional circles, one speaks of whaling when the targeted attack is directed against high executives. The above-mentioned methods are often embedded in so-called targeted attacks that specifically focus on individual companies. Conventional malware defense methods based on pattern comparison are often unsuccessful here because the attack code has not yet appeared in public and was specially created for one target. Often times, attackers take a long time to attack the right target or steal the right data. In professional circles, such protracted covert attacks on worthwhile targets are also called Advanced Persistent Threats (APT). After gaining access to the victim's network, APT attackers try to remain undetected for as long as possible. Not all data is stolen at once, but the essential and valuable information is gradually compromised. The attacker's target can often change depending on the data found on the victim's network. The last major targeted attacks against major companies and organizations were spear phishing attacks or whaling using malware-infected PDF files. This file format has replaced the MS Office file formats, which had long been discredited, as the greatest threat in this context. In the past, social networks such as B. Facebook, LinkedIn, Xing or StudiVZ come into focus. Whenever an attacker spies on a specific person for a targeted attack, he will find what he is looking for in the multitude of social networks. Information that can be viewed here can easily be used for a spear phishing attack. The likelihood that a victim will click on a link from a "friend" is quite high. In addition, these networks are increasingly used for the automated propagation of malware. Targeted Attacks Advanced Persistent Threats Social networks

25 16 1 Threat situation 1.3 Motivation of the perpetrators Elite, hackers and script kiddies What is the motivation for perpetrators to act? A perpetrator from the field of computer crime is often motivated to the same extent as a classic criminal is encouraged to commit a crime. These include financial gain, competitive advantage, revenge, craving for recognition and publicity. Just as in real life certain actions lead to social recognition within certain groups, this also applies in the virtual world. Spectacular system breakdowns can certainly lead to an increase in acceptance in the so-called scene. The number or type of attacked systems are treated like trophies and presented on relevant websites or IRC channels. The names of people often used in this scene include words such as Blackhat, Whitehat, Script Kiddies, Hacker, Cracker, Phreaker, Cypherpunks, Eleet, Lamer, etc. The word hacker has become widely accepted as a neutral or even positive name for people who live in the Are able to influence internal processes and functions of computers, programs and information, while the term cracker is clearly negative in nature, since crackers usually cause damage and want to break into systems. In the following, however, the term perpetrator or attacker will be used here. The terms hacker and cracker are used synonymously in this book. The term »elite« has been used since the times of the classic bulletin board systems (BBS or mailbox) in the 80s and denotes someone who has extended access to special files, e.g. B. from the download area. Through the film "Hackers" in 1995 the term elite was used to describe the so-called "overhacker". You will often find different spellings such as eleet, leet, etc. It is currently estimated that around 500 to elite hackers worldwide are able to find new security holes, while hackers, for example, can write so-called Exploit 5 scripts. Likewise, cautious forecasts assume that »Script Kiddies« are active on the Internet 6. Script Kiddies are 4. So-called »Leetspeek«; a slang term for "elite speek". Letters are replaced by numbers and special characters: 1 = I, 2 = to, 3 = E, 4 = for, 5 = S, etc. (Hacker becomes H4X0r, eleet to, etc.). 5. Also exploitz or sploit: A technique to break into a system, or a tool that uses or enables this technique. An exploit takes advantage of a vulnerability or system weakness in order to break into that system. 6th

26 1.3 Motivation of the perpetrators 17 usually only interested in using techniques and exploits to break into systems, while more experienced hackers discover security gaps and develop exploits without the system break-in as their main focus. In addition to the perpetrators who only re-use known security gaps with generally available attack tools, the motivation of the experienced attackers lies in carrying out activities that are normally not monitored, that are difficult to detect or difficult to reproduce or difficult to reproduce in the laboratory. At the same time, these attack activities must be well concealed, so that it is very difficult to collect evidence or even trace it back to the perpetrator. Investigators only achieve their goal here if they have special tools and appropriate experience. Some rough classifications for classifying hackers have become established in public. This categorization can be very helpful in evaluating and assessing the motivation in the criminalistic sense: Social motivation Technical motivation Political motivation Financial motivation State-political motivation The most common type is the group of offenders, which can be classified according to their social motivation. Behavior like in a youth gang or a street gang can be observed. Much like the behavior of such gangs in the real world, crimes are accepted with approval or "tests of courage" are carried out, which serve to recognize the hacker within his peer group. The hacker wants to belong to a certain group and achieve this through more or less spectacular website defacements or similar hacks. The group of technically motivated hackers is characterized by the fact that the system break-ins they carry out occur with the background of allegedly accelerating the technology process for the elimination of security gaps. Through their actions, the "public" should be made aware of system and security gaps. They see themselves as educators and want to encourage manufacturers and operators of computer systems to act. Interestingly, almost all hackers claim to belong to this group. Many hackers also claim that they are acting for political reasons. The politically motivated perpetrators have social motivation technical ambitions political motives

27 18 1 Threat situation Financial intentions On behalf of a government Organized in groups with a pronounced political belief and present it to a broader public, for example, by changing or disguising websites (website defacement). These types of attacks, which are supposedly political in nature, often get more press coverage than attacks that were carried out for fun. Interestingly, only a few of the hacked systems have anything to do with the supposed political opponent or can be somehow connected to them. As with "classic" crime, there is also a group of people in the area of ​​computer crime that is driven by financial intentions. Hackers who can be assigned to this group hack in order to enrich themselves personally. This includes activities in the areas of industrial espionage, financial fraud or software piracy. In contrast to the other groups already mentioned, one rarely finds financially motivated perpetrators who brag about their deeds in public. The striving for absolute anonymity can be described as very strong within this group. For the sake of completeness, reference should also be made to the politically motivated hackers who work on behalf of governments or state institutions. In addition to other governments, business enterprises are also in focus. As you can probably imagine, this is not about website defacement, but about various types of monitoring, information retrieval or modification. Hackers like to "organize" themselves in groups. These groups are often only a virtual association and often extend beyond national borders. Tips, attack techniques, tools and sometimes pirated copies of commercial software (so-called warez) are exchanged within these groups. These groups give themselves a unique name in the scene and sometimes run their own websites. Sometimes members can be assigned to individual groups on the basis of special, unique identifying features. In this context, some statistics are of interest: There are websites on the Internet that (for a variety of reasons) have made it their business to record hacked and modified WWW servers and save them as mirrors for posterity. As already mentioned, some groups of hackers have set themselves the goal of being immortalized in so-called defacement mirrors. A corresponding defacement mirror is z. B. zone-h.

28 1.3 Motivation of the perpetrators 19 Fig. 1 3 Defacement of the website of HP Belgium with reference to the defacement mirror zone-h.org and a corresponding justification The operators of the defacement mirror zone-h.org try to archive a changed website every time additionally to record the motives of the hackers: 7 N / A Revenge against that website Fig. 1 4 Attempt to analyze the motives of the attackers 7 Patriotism Political reasons As a challenge Heh just for fun! I just want to be the best defacer According to the graphic in Figure 1 4, the majority of successful attacks cannot be assigned to a specific motivation (the outlier value for “just for fun” is based on a so-called mass defacement). This would mean that the targets would be chosen at random, which would increase the probability of being the target of an attack for all network participants. However, 7th applies only to website defacements.

29 20 1 threat situation in this graphic that only those who want to make their deeds known have "perpetuated" themselves here. If you really want to stay hidden, you will not publish your attacks here. This is particularly relevant if the perpetrator acts out of financial motivation. In order to shed light on the motives of criminals from a different perspective, the Criminal Investigation Institute of the Federal Criminal Police Office (BKA) examined the offense »Account abuse on the Internet« in more detail. The background to this was a nationwide collective proceeding against more than 1,000 suspects, for which an investigative commission was set up at the Münster Police Headquarters in 2000. Even if this study was more than ten years ago, conclusions that can still be applied today can still be drawn from it. The BKA presented an experience report 8 on the “logistical and criminalist challenges of this investigation”, which was based on studies by the University of Münster. Together with scientists from the university, a questionnaire had previously been developed that was sent to the public prosecutor's offices, courts and parents of suspects involved. 599 questionnaires were evaluated. In addition to other questions, the motives were also recorded. The data obtained show that the majority of the perpetrators gave economic reasons as their motive, i.e. personal enrichment was in the foreground. Curiosity came second. Trying out played an important role for beginners. In the combination of “trying things out and economic reasons”, a lack of money was, as expected, the more essential factor in the continuation of the deed. Fig. 1 5 Evaluation of the motives in a major case of misuse of Internet access IDs 8.