By now, everyone has heard about the malicious DNS hijacking of twitter.com by those clamining to represent the “Iranian Cyber Army”. Seeing this news spread, journalists have invented an enemy and laid blame based on…facts? No…wait…facts are defined as “Knowledge or information based on real occurrences”. Unfortunately folks, the only thing tying this back to “Iran” is the name of the gropu responsible for the redirect and the subsequent message announcing the “attack”.

This is sensationalism plain and simple. Here are some examples of the sensationalist headlines and some excerpts from the articles:

Iranian hacker attack: What will it cost Twitter?

Thursday night’s cyber attack against the Twitter microblogging service was no routine assualt to bring down a website. It was a sophisticated online blitz –perhaps part of an online Iranian cybercampaign – that could prove costly for social media networks.

A “blitz”…wow…sounds dangerous. “Part of an online Iranian cybercampaign” to what, prevent Americans from sending important updates like “LOLZ, dude failed hiz last exam big time.” thus, disrupting national security?

Twitter Hack: Part Of Broader Iranian Strategy

The attack last night on Twitter was clear retribution for the role that the service played during the [post-Iran election] demonstrations, and the role that it continues to play today. We have spoken to a number of sources overnight who have told us that the Iranian Cyber Army, unlike other groups with similar national monikers, is a group name that is to be taken literally ie. it is an Iranian government group. Little is known about how the group operates, but previous attempts to shut off Iranian citizens from Twitter and other web services demonstrate that Iran has the capability and will to use almost any means to control the flow of information on the web both within and outside of its own borders.

“Clear retribution” based on…..well, you remember the elections right and how it pissed off the Iranians….well they have computers…..and the attackers called themselves “Iranian” so…BOOM…there you go! We’ll put this one in the FACT column for sure.

I could have gone further with this post but the other articles I found were just too stupid note.

Well it looks as though the stars have aligned and I’ll be heading to my very first ShmooCon! I’m really excited as I get to see friends and colleagues I either haven’t seen in a while or that I’ve yet to meet in real life. If you’er going to be there then come find me and say “Hello”.

Note: I’m not very good with names/faces (just ask Rob) so just look for the guy who looks like the following picture and introduce yourself (P.S. beers make him calm and approachable):

The for Detect and Eliminate Computer Assisted Forensics (DECAF) counter intelligence tool was specifically created around the obstruction of the well known Microsoft product Computer Online Forensic Evidence Extractor (COFEE) used by law enforcement around the world. From the DECAF About page:

DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.

DECAF is highly configurable giving the user complete control to on-the-fly scenarios. In a moments notice, almost every piece of hardware can be disabled and pre-defined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE’s presence by sending the application into a ‘Spill the cofee’ type mode. Simulation gives the user an opportunity to test his or her configuration before going live.

DECAF can perform the following things to effectively complicate the forensics process:

• Contaminate MAC addresses by spoofing MAC addresses of network adapters
• Kill processes by performing a quick shutdown of running processes
• Shutdown computer on the fly
• Disable network adapters, USB ports, floppy drives, and CD-ROM drives
• Disable Serial/Printer Ports
• Erase data using quick file/folder removal (Basic Windows delete)
• Clear logs from the event viewer
• Remove torrent clients
• Clear cookies, cache, and history from the system

This tool was designed specifically to combat COFEE but could be updated in the future with more advanced features. One thing that I do not believe this tool is able to do, at this time, is alter the MAC times of files. This tool may fool, or at least complicate, the analysis performed by automated tools, but using proven timeline analysis techniques as a starting point should continue to be an effective first step in the forensic analysis process.

The DECAF tool can be found here. I encourage you to download it and see how much it changes your own forensic analysis techniques.