Infiltrated the office of the fighters against hackers and carders

Cloned Boy

Professional
Messages
1,161
Reaction score
884
Points
113
LAIR OF FIGHTERS AGAINST HACKERS AND CARDERS.

Famous carder Sergey Pavlovich continues his conversation with Sergey Nikitin, deputy head of the computer forensics laboratory at Group-IB, the main Russian private fighter against hackers, carders and other cybercriminals. We met right in the company's office to see everything live.

Enjoy reading!


Contents:
  • "We film and show Group-IB's lair"
  • 9th floor, medals and awards of Group-IB
  • "Sport is related to work" - "Or is it related to chess?"
  • Crime Trend Predictions, "God's Eye"
  • Punching services, Navalny's investigation
  • Group-IB's personal wall, "digital hygiene"
  • Gratitude from SK, cheating in the show "The Voice"
  • "Holy of Holies" - Forensics Laboratory
  • Negotiation booth
  • "MAC Forensics", Apple's T2 Chip Vulnerabilities
  • "Passwords are mandatory", keys, password complexity
  • "iPhones below 10 are unsafe"
  • What education is needed to get into Group-IB
  • "We really need developers"
  • Forensic Computer, Magnet Axiom
  • MAC addresses
  • "Sometimes I study several million files"
  • Work of several specialists
  • Complex cases
  • "Hardware" of Sergey Nikitin and Group-IB
  • Exclusive
  • $100,000 Password Brute Force Program
  • How encryption keys are removed
  • Protection against vulnerabilities
  • USB Write Speed, to be continued...

"Filming and showing the Group-IB lair"
Pavlovich:
Hi, guys! Today we came to Group-IB and are interviewing you right in our own lair.
And today we will not only tell you, but also show you. Let's go! Oh, hi-hi! So, have you penetrated the lair?

9th floor, Group-IB medals and awards
Specialist:
Yes, this is our ninth floor. We will look at many floors today, but, of course, we will not see all of our offices, because the units are not foreign. Probably, the ninth floor will be the most interesting, because there is a lab here.

Pavlovich:
This is yours, right?

Specialist:
Yes, there is a computer forensics lab here, our SERT is here, and there are many of our awards and letters of thanks here.
Some of this can even be shown and told. Almost everything is connected with some case, incident. We even made commemorative sneakers.

Pavlovich:
From Nike, right?

Specialist:
Yes, yes, yes. Medals.

Pavlovich:
From Kyrgyzstan.

Expert:
Yes, of course, we work in the CIS and all over the world. Gradually collected In general, all sorts of awards.

Pavlovich:
Well, something from Interpol.

Expert:
Executive Director of Interpol. We have signed, in fact, cooperation agreements with Interpol, with Europol. Well, and, in fact, here you can see that this is Vietnam. Asian. Yes, yes, yes, this is Vietnam. Lots and lots of all sorts of awards. We can look. Yes, we had all sorts of security leagues there. Checked, no fraud. Look, guys.

Pavlovich:
Internet. Checked, no fraud. Probably.

Expert:
Runet awards. Well, that is, you see, yes, all sorts of cups. It's like... A small place. But that's not all. That's not all.

Pavlovich:
Oh, and you can also use them for weight training. Instead of dumbbells, these are pretty heavy. Well, by the way, you know what? It's the same prize, right? Yes, yes, different years. But I want to say that it is very noticeable even by the weight of the statuettes that the welfare in the country has worsened significantly. Because in 2013 they weigh almost 2 times more than in 2018.

"Sports are related to work" - "With chess, or what?"
Specialist:
Yes, in fact, sports are very much related to work. We have a bunch of different sections in the company. It is all encouraged in every possible way, paid for, promoted. Ilya regularly invites everyone to run, overcome obstacle courses, box, that is, in fact, there is a hobby for every taste.

Pavlovich:
And what are you into? Chess?

Specialist:
I'm not super athletic, for me, I think it is noticeable.
Once I took part in "What, where, when"? And in all sorts of brainstorms.

Pavlovich:
I thought you were defending intellectually. Help.

Crime Trend Forecasts, "God's Eye"
Specialist:
Yes, you can, you can knock someone out. It says CyberCrimeCon, it's an annual conference that we hold in the fall, sometimes October, sometimes November, where we talk about trends and forecasts for cybercrimes for the next year.

Pavlovich:
So that's what you predict,

Specialist:
What will happen next, what will happen next year, what to be wary of, how to defend yourself, what to defend yourself with, all that stuff.

Pavlovich:
And I was just filming God's Eyes, I think I don't need to tell you what kind of tool it is. Yeah, sure. By the way, he's a cool guy, many people think he's a drop, but he's not a drop, he's really the owner, because he's seen too much to doubt. And they've also launched the Photon system, it'll start working in a little while. They're also predicting some events based on search queries and so on. That is, he knows today what will appear in the press tomorrow.
That is, they figure out that this group of journalists has started to take an interest in, I don’t know if it will happen or not. So, accordingly, tomorrow, the day after tomorrow we will appear in the press. This is also a certain kind of forecasting.

Punching services, Navalny’s investigation
Specialist:
We were filming one of the films together with the editors. They were just doing punching through all these databases. We were talking about how the Darknet works, how all these punching works. And the people they bought these services from, they immediately say, who are you? Like, oh, the account is real, he wrote from Legi. Like, oh, you are a journalist, I know. Then they say, okay, no questions. Like, now, now we’ll organize everything.

Pavlovich:
Well, after Navalny, things got much worse for all the punching services.

Group-IB’s personal wall, “digital hygiene”
Specialist:
So, what’s going on here, sales department, isn’t this yours? Yeah, we have our board here, like, our life, you see, birthdays, all sorts of get-togethers.

Pavlovich:
With a machine gun, dude.

Specialist:
Yeah, yeah, news, measures, etc. And our corridor that leads to the lab. You can dump dirt here. Always remember about the digital gene, which we regularly talk about in our broadcasts, to update everything, you see.
Yeah, such a reminder is never superfluous.

Pavlovich:
Just yesterday I set this password to enter Telegram on my computer.

Specialist:
Good.

Pavlovich:
It was always on my phone, I couldn't find it for my computer, but now everything is clear.

Thanks from the Investigative Committee, cheating in the show "The Voice"
Specialist:
So, that means that we can see here about various thanks? For example, here is a thank you from Kazakhstan. Now I understand why you said, let's better approach this account. There will simply be a lot of interesting things further on. This is probably also a cool story. You can film it. Here is BSTM.

Pavlovich:
BDSM.

Specialist:
Yes-yes-yes. Also here is simply the Investigative Committee. Here. Also the Investigative Committee.
Well, that is, we work with everyone we can. Here. These are also some CIS stories. We saw the International story. Some of our coolest cases of PR activity, yes, we also hang them up so that they are visible, for example, the investigation of the show "The Voice", yes, remember when there was manipulation, yes-yes-yes-yes, we did a recount, did an audit, well, this even took off abroad, yes, that is, everyone was interested in how much this could happen and how to make these votes safe in general, here.
Here is an electrical panel from the load from our computers, which, let's see, sometimes it happens that the network is cut off.

"Holy of holies" is a forensics laboratory
Specialist:
Well, the holy of holies is our Digital Forensic Incident Response team. You can't just get there, but with me everything is possible.
Well, and our laboratory.

Pavlovich:
The holy of holies, you could say, right?

Specialist:
Yes, yes, yes, the holy of holies. I'll now indicate where what happens here, what kind of magic. Basically, yes, our incident response team sits there. Computer forensics sit a little closer here. The right side is given to our trainers, that is, our training teams, just all sorts of new cyber professions.
Well, you've already burned the zoom room on Instagram, right?

Conference booth
Pavlovich:
Not yet, but I'll post it now. Zoom room, yes. Zoom room is a conference room, as I understand it. Just talking on the phone.

Specialist:
Yes, so as not to deafen everyone around. We use it for negotiations. Although I'm sure there will be jokes about torture in the comments. It is well soundproofed so that you can talk to clients without deafening others. 100% of suspects are beaten here.
Yes, you see that very button there apply current apply current there apply gas.

"MAC forensics", vulnerabilities of T2 chips from Apple
Specialist:
Remember I told you about the vulnerability of T2 chips in Macs, right now I want to show you a tool for hacking has already appeared, although it also only works on Macs, but it is still interesting in general, we often do Mac forensics on Mac, because there are a lot of these utilities, it is, in general, native to Mac and therefore necessary. And one of the utilities, yes, is called Unlocker. It works quite interestingly, which means that there is no super magic here, but I will tell you how it works.
Well, there really aren't any colorful graphics here. What's the point? Macs have what's called Target Mode. Basically, any Mac can be used as an external drive. Hold down the letter T when turning it on, and it will go into this external drive mode. I didn't know that yet. Naturally, if encryption is enabled, it will ask for a password. FireWall 2. Yes, FireWall 2. And the trick is that you can use some Target Mode.
In addition, Macs with the T2 chip have a mode called DFU. It's like iPhones for flashing. Because they have their own small operating system in the T2 chip, and it's the T2 chip that's vulnerable. What's the trick with this software? It allows you to reset the boot password. Not the password for entering the operating system, but you can set restrictions on what you can boot from. So that it would be impossible to boot from external flash drives, or anything else, but only from the operating system that is inside.
This thing, this password allows you to remove it altogether. And this is only the beginning, in fact. This is exactly how you can install RootKit on these Macs, because this T2 chip works before the operating system, and that is, you can reset all the protection on it and completely destroy this small operating system, after which, when you boot a normal Mac, it will already work as an e-logger, it can collect everything from the keyboard and send all sorts of things, because it was designed as this very security chip, that is, it already has super access.
And already, in general, the first utilities have appeared to bypass all this, but so far they only reset passwords, but it is obvious that...

Pavlovich:
Well, you wrote this yourself, right?

Specialist:
No, no, no, that's straight, yes, that's straight, there are developers there... And what about the password to enter the operating system? He can't reset it yet, but that's a different matter, that is, after hacking this operating system, you can infect it and just wait until the person enters this password himself. Well, and remove the key logger, right? Yes, yes, that is, the key logger that loads even before the MACOS itself.

Pavlovich:
So look, is a password for entering this, the operating system, necessary at all, yes, in the framework of my criminal cases, it was like this, they just take the hard drive, take it out and connect it like a flash drive to the computer, to the N-case, in my case, and that's it, and just rummage through the files. On Macs, this won't help, or why?

Specialist:
No, if the file is included, then the password for entering is also the password for decryption. That is, if you just get access, then you will see just encrypted data until you enter this very password for entering.

"Passwords are required", keys, password complexity
Pavlovich:
That is, it is necessary to get it on Macs so that no one gets access there, either law enforcement, or some hackers who want, or industrial spies, yes, commercial ones who want to steal your information. You just need to enable this firewall encryption.

Specialist:
Yes, that means the firewall, you need to enable it, and when you enable it, it will offer to save the server-i-cloud key. You don’t need to do that. You had an interview, I forgot the guy’s name, he said that his Mac was hacked in one go. Most likely, he had a key saved in iCloud, and Apple issues FBR from iCloud everything in one go, simply upon request, instantly. And that’s it, they receive the encryption key and open it.
Therefore, when you set encryption in FailVault, don’t give the key to iCloud. Yes, it’s not that convenient, because if you forget the passwords, then everything, all the data will be lost forever.

Pavlovich:
I have it written down in Apple notes, notes are stored in iCloud.

Specialist:
Also, yes, I have that too.

Pavlovich:
We need to get rid of this one, I have it written down on paper and in notes. In short, we need to remove the notes and leave it only on paper. Or you can also get a tattoo of some kind here.

Specialist:
Better not in a visible place. Yes, that's why the idea is absolutely the same. Turn on failover, and of course the login password must be strong. Because you can simply try passwords, yes, do it by brute force. If the dictionary password is simple, it can be easily bypassed.

Pavlovich:
Well, again, these are just complex passwords. We always remember that complex passwords are long and complex. What is the minimum length, remind me?

Specialist:
I would recommend at least 10 characters, numbers, upper and lower case letters, and special characters, some asterisks, I don't know, dashes, and so on and so forth. And I repeat, yes, unfortunately, Macs with the T2 chip turned out to be unsafe, so everyone switch to M1. Now M2 will be presented on June 7. Yes, new MacBooks may be presented, it is unclear whether there will be a conference at EDC, but so far there are only rumors about what will happen, whether there will be new Macs now or in the fall, but in any case, from a security point of view, this is a big step forward.

"iPhones below the 10th are unsafe"
Pavlovich:
There will already be 10-core ones. So, what else is on this computer?

Specialist:
On this computer, for example, there is a program for jailbreaking iPhones, which just with vulnerable chips, and, let me remind you, this is the tenth iPhone and below, allows you to do jailbreaks regardless of whether you know the password or not, and even without knowing the password, such a jailbreak allows you to extract some data. Not everything. There, roughly speaking, what comes in notifications, some cached text, there may be a little media there, but sometimes it can be critically important.
Therefore, I repeat that iPhones 10 and below are vulnerable, they have a vulnerable chip, this cannot be fixed in any way, and therefore it is better to change them.

Pavlovich:
Yes, and again, no one paid us for advertising Apple, unfortunately, although it was high time.

What education do you need to get into Group-IB
Pavlovich:
The first question is, before I forget the question, left yesterday by our viewers. Is it possible to get a job at Group-IB without a specialized university education?

Specialist:
Absolutely yes. Education is not a criterion for us at all. We employ people without any higher education, for example, with secondary vocational education. Skills are much more important, yes. That is, in the description of each vacancy it is written what you need to be able to do. If you can do this, then there will be no more special questions, yes. We absolutely only support self-taught people. We even have people without higher education in top positions. And, well, they simply grew to this level.
Therefore, yes, yes, the answer is definitely yes. Find what you like, find a suitable vacancy, write. Possible options, including some kind of internship, traineeship, anything. We are especially super...

Pavlovich:
Are the internships paid?

"We really need developers"
Specialist:
In different ways, depending on what kind of division it is, where, and on the need, yes, whether interns and trainees are needed there at all. And we, like probably everywhere, now have an incredible shortage of developers.
If you write in anything, but at least in BrainFuck...

Pavlovich:
BrainFuck - what is it?

Specialist:
BrainFuck is such a crazy programming language that was invented so that it was impossible to write in it, consisting of all sorts of different brackets. All the operators there are also sets of different brackets. And the code in it looks just crazy. I can imagine.

Pavlovich:
Something like Dogecoin.

Specialist:
Yes, yes, yes. That is, it is also just a joke, a conditional programming language. But I mean that developers are very much needed. We will talk to our head of development today. He will tell you what cool projects we are doing here. Because it may not seem so from the outside, but when, for example, you need to check millions of Sberbank logins, and this, imagine what kind of load Sberbank has there. Well, this is already a high load, of course. Yes, that is, this is a super high load, and these are real challenges constantly in programming, interesting tasks.
And here it does not matter at all whether you have any crusts or anything. If you can code something like this, if you are interested in it, then we invite you.

Forensic computer, Magnet Axiom
Pavlovich:
Well, let's see what you have on your computer.

Specialist:
Yes, this is a computer, first of all, we can generally say that it is our person's forensic scientist. That is, we have a person there in a similar configuration who responds to an incident. And the first thing I show is the Magnetaxiom program, it is Canadian. And this is simply to show what a forensic scientist's work looks like.
We have filmed many of my funny stories, but behind each search, behind each funny story with the explosion of all sorts of these very doors and so on, there is then quite painstaking analytical work. And it looks something like this, yes, that is, some image is processed here, that is, some kind of storage medium. An image of a hard drive. Yes, a hard drive, SSD, as far as I remember. Here, we see that this is Windows, that is, we analyzed Windows.
We see that this program can parse here, that is, automatically extract and provide in a form convenient for viewing. For example, all RDP connections are there. Or Amcache, this is a special cache program that was executed. There are, among other things, hashes and the number of launches. All sorts of things, like which one to use, which files were clicked, Windows logs.
And, probably, here we can immediately tell you that Windows itself is just a huge means for collecting all sorts of data, that is, there are thousands of different logs, different files, a huge amount of everything is logged, especially starting with Windows 8.1, well, and dozens of them, of course.

Pavlovich:
What is this for? To fix some bugs?

Specialist:
No, here it is rather simply for the functions of Windows itself. Firstly, it seems to monitor users, when something happens to them, when there are some errors.
Plus just regular logging, so that everyone with the admin can figure out what happened and how. And simply, for example, when Windows shows you the last launched programs, all this should be stored somewhere. And all of this can be used, and it is used for computer forensics, in this case, to figure out how this victim's computer was infected, that is, how the victim's computer was infected, when, what happened, what events took place, and in fact, the work consists of the fact that here in the chronological date, that is, sorted by time, you can just see it right down to the second, there are 14, 10, 15, 16, 17, all the events that took place at this time, that is, there are many, many, many different ones, the user opened shortcuts there.

Pavlovich:
This is fresh April 16.

Specialist:
Yes, this is a fresh case. That is, you can try to figure out what exactly happened here, how the infection occurred, where it came from.
And this is precisely the kind of painstaking analytical work, start-service, start-service. More manual, right? Yes, well, I mean, what is the convenience? This program, it is like a Swiss knife.

Pavlovich:
What is this called?

Pavlovich:
Magnetaxium. It's called Axium. Canadian. I'll try to show you now. Well, it's still a small thing. Magnetaxium. The Canadians are really cool guys. They went public, they attracted a ton of investment, they're moving forward by leaps and bounds.
Before, they only supported Windows, then Windows and Mac, and now they've started supporting Windows, Linux, and Mac. That's the trick. This thing doesn't do magic, it doesn't solve the case for you. It just automatically goes through the entire disk, pulls data from all known sources, and presents it in a convenient way for viewing.

Specialist:
Well, here on the left, just like the table of contents in a book.

Pavlovich:
Yes, let's say I look, there's a PRDP connection, yes, I click it, and it immediately, after thinking for a bit, shows me the incoming connection, where it came from, which user did it, or the outgoing connection.

Specialist:
Where it all happened. That is, it's just a convenient presentation. Yes, you can find all of this manually in the event logs, simply by opening the corresponding journal and entering the event number. This is simply a more convenient presentation to immediately view everything in chronology, because events can be related, that is, one thing, another. Sometimes you can see how they inserted a flash drive, a shortcut, opened a program, and now it has already dropped its System32 files, oops, an autoload was created in the registry, and so on.
That is, right one after another.

Pavlovich:
This is what I think, a construction company, right?

Specialist:
No, no, no, it’s just some kind of domain they have, it’s not related to them at all. Because there is a construction company of the same name.

Pavlovich:
Maybe, by the way, maybe.

Specialist:
Here, and the name of the computers and so on. In my opinion, this is generally related to the fact that one of their floors is called that, and everything in this office.

Pavlovich:
What else is interesting there?

Specialist:
For example, all the flash drives that were plugged in are there, yes, all the flash drives that were plugged in, their serial numbers, a little, yes, there are dates when it was plugged in, when it was plugged in for the first time, when it was plugged in for the last time. Windows stores all of this, the serial numbers of the flash drives, right? Windows stores everything, yes, for shortcuts, for example, it can even store MAC addresses.

MAC addresses
Pavlovich:
By the way, the question was about MAC addresses, that is, is it enough to change the network card and do you need to reinstall Windows later, for example, for the MAC address to change?

Specialist:
It is absolutely necessary to reinstall it, because we can see.

Pavlovich:
Is one network card enough to change the MAC address? Yes, yes. Replacing the network card and changing Windows, then we reinstall it.

Specialist:
Yes, but here we also need to take into account that Wi-Fi, Bluetooth and network cards have MAC addresses. That is, each of these three things has its own MAC address. And it depends on how you accessed the Internet, that's a big question.

Pavlovich:
So you're not showing one common MAC address, but several?

Specialist:
Yes, there may be several, it depends on what you accessed it through. That's why what we call the MAC address of a standard computer is the network cards that are built into the motherboard, the motherboard in general, that is, you only need to change the motherboard entirely.

Pavlovich:
So it turns out that Wi-Fi is not Wi-Fi, that is, all devices that connect you to the Internet have a MAC address?

Specialist:
Yes, all of them, if I were to say it in a really nerdy way, then all network devices that provide the data link layer of the connection, where we have frames and channels and MAC addresses are needed for this, where there is no IP yet. Actually, that's what MAC addresses are for, so that... Then, in theory, it was also in the eco-port, in theory. Possibly. Possibly, at one time, yes, but I already... You didn't live there. I lived there then.

Pavlovich:
Not via Bluetooth, but via IP, these are my infrared...

"Sometimes I study several million files"
Specialist:
No, I lived there then with the infrared cameras and Internet distribution, but I wasn't a forensic scientist then, yes, I was still a schoolboy. So, what else could there be here? All sorts of, let's say, autoloads, yes, starting some services, yes, there are millions of services here, let's say, which folders the user clicked on, and all of this can be analyzed and something can be found.
I mean, I myself...

Pavlovich:
How long does it take you to show me 10 thousand files?

Specialist:
Yes, sometimes several million. Sometimes there are several million, it's just like that...

Pavlovich:
And how long will you study, for example, before you dig up the threads, these 10,375 files?

Specialist:
Usually, usually the bulk of everything is found in the first three days. Well, that is, three working days for sure, yes. That is, eight hours. You need to really get into it. Then comes the analysis of what we found. Because, as it happens, I found some kind of virus, virus analysts analyze it. By the way, today we will talk to Roma, he will tell us who virus analysts are, and show us Ayda Pro. Here. And he is like, look, this thing drops such-and-such files, and also drops them.
I'm like, okay, we need to look for them. Why didn't I find them? Like, oh, they've already been deleted. We're restoring them from deleted. Oops, we found them. He says, now I'm going to reverse them. We reversed them. He says, look, it connected to such and such a place. Such and such network addresses. I say, let's search the computer, were there any connections to these domains at all. And then we find in the swap file, let's say, that not only were there connections, but such and such data was transferred there, such and such scripts, or even templates of some payment orders, that is, you can find anything in this trash in the swap file, you need to know what to look for.
And so this thing is several iterations, there is a primary analysis, then a deeper analysis, then collecting traces, well, plus you need to write a report on all this.

The work of several specialists
Pavlovich:
Well, you see, it requires the work of several specialists at once, you, and then virus analysts.

Specialist:
Yes, we will parallelize the work, it turns out more efficient, that is, we have specialists in combination, there are virus analysts. There are companies where these roles are combined, that is, one person does everything there.
It takes much longer. It is a little more complicated, longer, on the other hand, he has a more complete picture in his head, on the other hand, it is difficult to parallelize the work. That is, we gave the guys there samples, a bunch of stuff, they analyze, and we continue to look for something here.

Pavlovich:
And if there were several million files here, how much would that be?

Specialist:
It does not fundamentally affect the quantity, of course, it depends on what questions the reanalyst faces. That is, if we are looking for something there, the more files, the longer the image process will be, that is, the very launch of the processing, it takes some time. But for now, it will essentially index it. Yes, yes, yes. And the more files, the larger the image size, the longer it takes.

Complex cases
Pavlovich:
Can you recall off the top of your head the most complex case you had to deal with, was there some very important order that took the longest to investigate?

Specialist:
Listen, sometimes there is a lot of stuff, large volumes. Longer and more complex, probably. I'll tell you about two cases. The first case was such that it was necessary to analyze about, I wouldn't lie now, I think 4 terabytes of email correspondence, and it was just FreeBSD, well, a variety of it.
There was a ZFS file system, which is not supported by much there, and this thing needed to be virtualized, that is, the server needed to be made virtual, that is, it only had images, yes, and it needed to be virtualized so that it would start up just like a virtual machine here, so that the file system would start up, and so that it would be possible to extract data from it. And because of the volumes, that's exactly what you said, because you need them there, you have multi-terabyte all these stories, it's quite long and complicated.
Another case, specifically a technically complex one, was related to the fact that there was one company, it wrote a rootkit with drivers and manipulated the market. So, I can't name the industry, I think I mentioned this case, but the trick there is that there is no virus as such, they themselves distributed legal software, and through this legal software they distributed viruses. And just to think of this, and to understand, and to find that there were bookmarks right in the drivers of this software, that they were dual-purpose, it was a real challenge.

Pavlovich:
And what did they need this for? Was this some kind of boss-order for them?

Specialist:
The trick is that, roughly speaking, they supplied this software to their counterparties, and these counterparties could choose from whom to purchase goods. And it turns out that these people, they had a lot of software from different people, different companies, different competitors. And they stole other people's price lists with this market.
That is, they found out how much goods cost from their competitors, because their clients had programs from several at once, they chose where to purchase. Their program stole information from each other.

Pavlovich:
But this is already a kind of commercial espionage.

Specialist:
Absolutely 100% industrial espionage, and they made prices literally a few kopecks lower in order to win tenders, to win purchases.

Pavlovich:
Such software could have been supplied for free. And how did the story officially end?

Specialist:
I don't know how it ended officially. Officially, it was like these people through whom it was done, apparently, the top management was not aware of it. It was an initiative on the part of the developers directly, well, of a kind of middle management. And what they did internally after that is unclear.

Pavlovich:
There was no case.

The "hardware" of Sergey Nikitin and Group-IB
Specialist:
Yes, I don't know about the case. I don't know the details of how it ended. But if there was, you would know from the news in the press. Absolutely definitely, it didn't leak anywhere.
So, regarding the computer, yes, what needs to be done to drag such things? Here I have two Xeon processors in the unit, a dual-processor motherboard, 128 gigs of RAM, a 2 terabyte PCI-Express SSD and a RAID of 2 terabyte SATA SSDs for 8 terabytes.
The point is not in storage, but in having very fast access to data, that is, the read speed is now about 2 gigabytes per second. This is exactly what is needed to quickly analyze data, quickly copy it, transfer these images, convert and all that stuff. For storage, we use our servers, we have entire file storages in the office.

Pavlovich:
Well, and they are physically there.

Specialist:
Yes, this is to quickly drag something like that. But it is precisely for fast processing that we need powerful computers. Now this configuration is already outdated, now, probably, I would build this thing on AMD processors, on their Threadripper. They are seriously ahead of Intel now, and most importantly, instead of two processors with 12 cores, I would immediately put a 32-core Threadripper there, there is only one processor, this board is much simpler, no need to build all this stuff that I have there.

Pavlovich:
Cooling systems. They always have a problem with AMD compared to Intel, they always had a problem, they get very hot.

Specialist:
But now they are the opposite, they have changed the process technology, their process technology is smaller, and they do it much more coolly. So we see, yes, there...

Pavlovich:
It's time to buy AMD shares.

Exclusive
Specialist:
Yes, we see that there are 24 physical cores, 48 logical ones, that is, in fact, during processing, it is all completely filled, well, and SSDs, yes, that is, there, conditionally, where it is, for 7 terabytes, yes, this is a RAID of SSDs, RAID 0 of SSD arrays, in order to access data as quickly as possible.
So, from the interesting things, in fact, like, labs are filming not for the first time, yes, and there we have already shown everything that can be shown many times, I do not want to repeat myself, I want to tell you all sorts of exclusive things.

Pavlovich:
Yes, I need exclusive ones.

Specialist:
Yes, you have interesting things, and the first thing I will tell you about is SVEA, this is very often asked what is used to pick passwords, so, according to SVEA Forensic Toolkit, it is a whole complex, a whole, let's say, such a super tool for picking passwords.
Is it free? No, it's paid software. It all costs a lot of money.

Pavlovich:
How much, approximately?

Specialist:
Tens of thousands of dollars.

Pavlovich:
Now that's pure software.

Specialist:
Yes, yes. What Axiom showed me was PassWare.

Pavlovich:
It is unlikely that you will sell it to a third party.

Specialist:
It will not be sold that easily. There are all sorts of business versions, but you can't just buy Forensic versions. There is also all sorts of software that is not sold in Russia at all. Take Silibrite, which we will talk about. That is, we bought it, but it will most likely not be supplied to the CIS anymore.

Pavlovich:
It is just that you bought it a long time ago.

Specialist:
Yes, we bought it a long time ago, we are currently repairing it, yes, mythically, three days before the ban, its power controller failed, but it seems that our reseller sells it to us, they promise to fix everything and return it. Well, plus there is a ban on the sale of the security service, we are not security services, so I hope that we will continue to cooperate with Librite.

Pavlovich:
Well, you know, they will even bypass the authorities, that is, a Russian company will buy it for me, I don’t know, not Belarusian, let’s say, I don’t know, some Baltic company or other, and it will be brought here, just in a suitcase.

A program for $100,000, password brute-force
Specialist:
Yes, this can happen too, yes, that’s why some software is not sold in the Russian Federation at all, not even close anywhere else. For example, Slibrite has a premium service that can hack iPhones, can brute-force codes and passwords to them, using some unknown vulnerability, they can hack up to this very thing, up to 10C and 10P, namely brute-force passwords and get full access there, but they don’t supply to a bunch of countries, that is, they only supply such NATO-friendly strange ones. In short, repressive regimes. In general, not even close, yes-yes-yes.
So, what can this thing do? It can, let's say, we can see, crack BitLocker, FileVault, TrueCrypt, Veru, Lux, yes, McAfee, DriveCrypt. This is exactly brute-force, this is exactly brute-force passwords, and they can use the GPU, yes, that is, they can do this on video cards to greatly increase the efficiency of the device. And how much will the performance increase?
There are tens of times. Naturally, if you buy all sorts of Teslas from NVIDIA, but now, unfortunately, miners have grabbed all this, there are big problems with this now, even just playing and buying a video card. That is, not in theory, but in practice, they regularly optimize all this in order to crack faster. This is why strong passwords are important. And I see that there is no BestScript at all? By the way, there is no BestScript here now, but they were able to crack not full-disk encryption, but containers.
Containers can do it for sure, and this is when the disk is fully encrypted. What is it? This means when you can create images in a Mac, like a disk image, dmg, and you can put a password on it. This is a little different than failout, so it is highlighted here separately. Failout is what it uses now. What else can it do? This is full disk encryption, but besides that, it can hack, search for some containers or even encrypted doc documents, Microsoft ones, and break them.
Yes, plus, if there is a RAM dump, it can extract passwords from it, for example, saved in the browser, it can extract iCloud data, it can extract data for some user passwords.

Pavlovich:
Well, passwords for encrypted disks, for example.

How encryption keys are removed
Specialist:
And passwords to those very crypto disks, that is, for example, if I choose APFS, yes, there it is FileVault, it says, I don’t have a disk image, I do. Or I have access to iCloud, where that very key I was talking about can be saved. And here you just enter your login and password from iCloud, it itself pulls out the key, itself decrypts the image. That’s it. That is, all this is very user-friendly here.
But I wanted to show a slightly different thing. What did they come up with? It turned out that in modern computers, which have a large amount of RAM, the RAM is not reset very well. And after the first restart it is cleared.

Pavlovich:
When you reboot the computer?

Specialist:
Yes, yes, yes. And what did you find out? If you switch the computer hard, that is, not through the empty, there, turn off or Mac and restart, but simply hold down the button, do not pull it out of the power supply, but press the reset button on this, if you hold down the power button on the laptop so that it reboots, then a very large part of the RAM, it remains. They made a special bootable flash drive, that is, he now offers us to create such a flash drive. Here, you can boot from it, and immediately after rebooting it will remove the RAM, all that is available.
It itself takes up literally a few megabytes, so as to erase as little as possible. What do they offer? If you come, see that the computer is locked, they do not tell you the password, insert the flash drive, you still do not lose anything, even if everything is encrypted there, just reboot and immediately remove the dump. Here, that is, it boots from the flash drive and immediately removes the dump, and after that there is a good chance to extract the encryption keys from there. If you reboot in the normal way, both Vero, BitLocker, and FileVault will erase the keys using a special procedure.
That is, most of the RAM will remain unchanged, but these keys, they will be erased, and if you reboot hard, you can boot and try to pull these things out. So, I tried to do this on Windows in a laptop with BitLocker. - BitLocker - is that a standard tool? - It is a standard encryption tool in Windows, yes, that is, in the top ten, BitLocker is right here, it is built in, yes, I have here, for example, a disk, yes, here it offers to manage BitLocker,
yes, that is, it offers right here, yes, there, to remove encryption, here, turn off BitLocker, Recovery Key, there, in which disks it is on and off, that is, about the professional version of Windows, which has all this already arranged in it. The encryption itself is not bad, not bad, the main thing is, again, if you use a Microsoft Live Account, yes, that is, in Windows as it is possible, now you can simply log in under a local user, or you can add an account in Microsoft Live, it is called,
and you will immediately log in to it, like an analogue of iCloud from Microsoft, and again it will offer to save the key on Microsoft servers, well, it is clear what all this leads to. If you do not save it anywhere, do not store it anywhere, use a large strong password, it is also absolutely not bad in principle, that is, it takes a long time to sort out, well, and there is quite a hemorrhoid. What am I talking about? About what I tried on a Windows laptop with BitLocker, there were 24 gigabytes of RAM, and I rebooted three times, and on the third time it was able to pull out the keys.
That is, this thing, it will not be stronger at all, but even if in one of three cases it bypasses your faith in TrueCrypt or FailVault and BitLogger, it sounds very cool.

Vulnerability protection
Pavlovich:
Well, and you see, after the third reboot there even remains...

Specialist:
No-no-no, I mean that I tried three times, and only the third attempt was correct. Each time I booted up, went in, entered the password, did something and received it again, that is, the first two times it was rewritten, the third time no, it found the key, pulled it out, that is, the efficiency is about 30 percent, but it depends directly.

Pavlovich:
But this is still a small sample, maybe more, maybe less.

Specialist:
Yes, maybe more, less. If you have done it a thousand times. You need to test, I did it for what, we now have a clear recommendation that if the computer is locked, as if we do not receive the password for sure, you do not lose anything, you do not lose anything, you can always try to pull the dump, suddenly the keys will be there. And with any operating system, right? It works under Mac, under Windows, you can protect yourself from this in only one way, make it so that you cannot boot from external
devices, that is, you need to set up booting from a flash drive, but on Windows it is very difficult to do, not all laptops, and especially computers, can set such a ban, that is, such an option often cannot even be banned there. On Macs you can do this, just the same password for the t2 chip it will not allow booting from the left device, but we saw the t2 chip can be bypassed, but on
m1 just by default everything is closed there, you cannot boot from left devices, if you have not reconfigured it there and here it works great, that is, it will not pass the signature check and on a Mac with M1 you cannot boot with such a flash drive. I am sure that Apple should already bring us suitcases simply where the money is. But yes, such a trick. It just appeared quite recently, few people know about it yet, but the topic is very cool.
You need a fast flash drive and a large one, because it immediately starts recording on it. There is no second try. That is, here you need to insert a flash drive, get ready, hold down all this, hold down the boot, that is, there is only one chance to remove this package after a hard reset.

The speed of writing to a USB drive, to be continued...
Pavlovich:
And how fast will it be?

Specialist:
And it directly depends on the speed of the flash drive and the memory capacity. That is, there is a USB 3.0 flash drive, it can write 100 megabytes per second, if a normal flash drive even has 200 now, via USB 3.0.
And okay, these are gigabytes, it will not take that long to write.
 
Top