Forensic Focus Blog

Interview with John Patzakis, Founder and CEO of X1 Discovery

noreply@blogger.com (admin) — Thu, 17 May 2012 14:03:00 +0000

John, the last time you were interviewed at Forensic Focus you were the Vice Chairman and Chief Legal Officer at Guidance Software. Now you're the founder and CEO of X1 Discovery - tell us about that move.

I am proud to have been a co-founder and part of the senior team at Guidance Software for ten years. The early days at Guidance were exciting as we sowed new fields, just as we are doing now at X1 Discovery. At Guidance, we first pioneered Windows-based forensics, which was the new paradigm and represented an order of magnitude improvement over Dos-based forensics. Then circa 2004, we introduced and championed the concept of enterprise in-house eDiscovery, a strategy that ended up being Guidance’s main force of growth leading to our IPO in 2006.

So after leaving in 2009 and engaging in consulting projects through 2010 I began discussions with X1, an Idealab Company that I always thought had excellent search technology for both the desktop and the enterprise. At first the intent was to sit on the board as an investor but then I learned about the IP they were developing for social media, and I also became excited about the promise of X1’s enterprise server to be a very robust eDiscovery early case assessment and first pass review solution. So to make a long story short, the board at Idealab – which is our parent company -- offered to have me head up X1 Discovery as a spin-off to X1 Technologies, with ownership of all our intellectual property. It was a great opportunity and the Idealab board has been very supportive and enabled me to recruit some outstanding talent and assemble a great team.

What does X1 Discovery do? What makes it different from the other eDiscovery companies which have entered the market in the past few years?

At X1 Discovery we are pioneering the new fields of forensics and eDiscovery of social media and cloud-based data. I have always been interested in where the puck is going as opposed to where it is now, and we believe the X1 Discovery’s disruptive technology is already years ahead of the field. We accomplished this by leveraging our vision and industry experience to effectively build on the patented X1 Search Technology.

Tell us more about your products, X1 Social Discovery and X1 Rapid Discovery.

X1 Social Discovery, launched in October 2011, is basically like EnCase or FTK for social media and website collection. It is a desktop application specifically designed for computer investigators and legal professionals that we believe is the clear market leader in its class. X1 Social Discovery’s two core benefits are scalability and defensibility. It can collect tens of thousands of social media items in a few hours and up to millions in a few days, and then instantly search and filter those items with the patented X1 fast-as-you-type indexed search. X1 Social Discovery is very defensible as we are establishing a chain of custody with case management, evidence segregation, logging, and MD5 hashing of all collected items. Also, social media sites are accessed read-only, which is important as visiting a live Facebook page can easily cause changes to the page and its metadata. Finally, we collect all available metadata on social media sites. A Facebook item alone has over two dozen unique metadata fields and we preserve and collect all of them.

Our other product, X1 Rapid Discovery is a proven, and now with the release of version 4, a truly cloud-deployable, eDiscovery and enterprise search solution that enables users to quickly identify, search, and collect distributed data wherever it resides in the IaaS cloud or within the enterprise. Just this past week we were the first eDiscovery company accepted into the Amazon Web Services (AWS) Solution Provider program. Importantly, its a non-appliance software solution that is very easy to install and configure. So in addition to the cloud, X1 Rapid Discovery is quickly deployed in the field on the investigator’s own hardware to collect data from servers and/or to index, cull and search through up to terabytes of collected data...

Read more

Interview with Noreen Tehrani, Applied Trauma Psychologist, NTA

noreply@blogger.com (admin) — Tue, 15 May 2012 11:52:00 +0000

Can you tell us something about your background and why you decided to work in the field of applied trauma psychology?

I have had a very mixed career; I have worked in medical research, as a retail operations director, property development, Head of a counselling service and running my own company. I think that the fact that I have had lots of experience doing different things has been really helpful to me. Although I love research, at heart I am a practitioner and enjoy working with people and organisations to help them to have happy and healthy lives.

I don’t think that I set out to be an applied trauma psychologist – it was just that the work was interesting and I could see that it helped people deal with difficult issues.

Tell us more about applied trauma psychology - what does your work involve and who do you aim to help?

I work with lots of different organisations and kinds of people. My main areas of expertise are in psychological trauma, bullying and harassment and psychological rehabilitation. I have worked with victims of major incidents such as 9/11 and the 7/7 bombings as well as natural disasters, transport deaths, rapes and other crimes. My goal is to help organisations prepare for crisis and disasters by training and preparing their employees and when a crisis occurs to help the organisation to deal with it to limit the damage caused to the workforce. I have developed a number of psychological tools which help people to recover from stress, burnout and psychological trauma.

What experience have you had working with digital forensics professionals?

The first time I worked with digital forensic professionals was around ten years ago. A commercial forensics organisation had taken over some work on Operation Ore and the young forensic examiners were having problems in dealing with the impact of the images they were assessing. I later became involved in supporting other forensic examiners who were working in Eastern Europe where they felt that they were in very threatening working environments with little support. More recently I have become more involved with law enforcement officers working with child abuse. This is a really interesting area of work and I find that the people involved in this work are really dedicated and keen to push the boundaries of their knowledge of computer forensics to the limits.

What are the short and long term effects of working with the kind of disturbing material which digital forensics examiners often encounter in their work?

I think that it is relatively easy to see that some people will never be able to deal with the distressing images, sounds and dialogue that are part of the examiners world. Some people fail within the first few days of being exposed to the material. However, perhaps more difficult is the slow grinding down of the digital examiner's resilience which can happen over months or years. People who have handled this kind of work may suddenly find that they are unable to deal with it any more. I think that most people have a “shelf-life” for dealing with the most distressing material and need to take a break. The initial reaction to distressing material is the shock and disgust it causes, the fact that people will do things that most of us could never imagine. This is particularly distressing when the victim is a child. The real problems relate to the trauma reactions that this shock can create. The way our brains work is to try to protect us from anything that could cause harm. The common response to a traumatic exposure is to a) try to avoid further exposure b) become hyper alert or aroused to the material or thoughts about the material and c) to have dreams, flashbacks or constant thoughts about the exposure. People can also become irritable, detached and start using “self-medication” (caffeine, alcohol, drugs – prescribed and otherwise) to handle their symptoms. Often relationships suffer as normal loving relationships are affected by the impact of the material...

Read more

Interview with Keith Cottenden, Forensic Services Director, CY4OR

noreply@blogger.com (admin) — Wed, 18 Apr 2012 10:17:00 +0000

Can you tell us something about your background and how you became involved in digital forensics?

I spent 22 years in the Royal Air Force Police specialising as a Counter Intelligence and Information Technology Security investigator; supporting criminal and security investigations by the examination of recovered computer media, using recognised forensic techniques. I have over twenty years experience of carrying out computer audits and investigating incidents of computer misuse, virus attacks, hacking and loss & theft of data. I have been in the private sector, specialising in digital forensics, for the last 8 years and have worked on behalf of law enforcement agencies, solicitors and corporate clients on a variety of UK based and international cases.

What services does CY4OR offer?

CY4OR is recognised as an industry leader in the investigation of serious and complex crime, and civil litigation cases. We have extensive experience in conducting investigation on a broad range of digital media including computers, mobile devices and audio and visual analysis. We compliment our forensic offering with full eDisclosure, cell site analysis, data recovery, data destruction, vulnerability assessment and penetration testing services.

What is your own role?

I am responsible for directing all investigation and consultancy services; accountable to the board for all operational and technical aspects of the business.

Tell us more about CY4OR's growing focus on eDisclosure and eDiscovery. How important have those services become compared to "traditional" computer forensics?

eDisclosure was a natural progression from digital forensics for CY4OR. Both disciplines involve handling data in a manner that ensures preservation and interpretation. We have moved with the industry and as litigation and regulatory pressures are now a fact of life for many organisations, as well as dealing with an ever increasing amount of electronic data, edisclosure is now becoming the norm in many cases...

Read more

Exploded Car for Digital Forensics Students Tutorial

noreply@blogger.com (admin) — Fri, 13 Apr 2012 10:17:00 +0000

University forensics students sift through exploded car to find digital data for use in mock trial (YouTube Video)

Overcoming Potential Legal Challenges to the Authentication of Social Media Evidence

noreply@blogger.com (admin) — Tue, 03 Apr 2012 11:08:00 +0000

Social media evidence is highly relevant to most legal disputes and broadly discoverable, but challenges lie in evidentiary authentication without best practices technology and processes. This whitepaper examines these challenges faced by eDiscovery practitioners and investigators and illustrates best practices for collection, preservation, search and production of social media data. Also highlighted in this paper are examples of numerous unique metadata fields for individual social media items that provide important information to establish authenticity, if properly collected and preserved...

Read more

viaForensics releases 10 Android YAFFS2 images

noreply@blogger.com (admin) — Wed, 29 Feb 2012 23:34:00 +0000

The YAFFS2 file system is widely used in Android devices, but to date has not been supported by the leading open source forensic toolkit, The Sleuth Kit, commonly known as TSK. viaForensics has undertaken development to integrate YAFFS2 file system support in TSK and while the YAFFS2 analysis tools are still in development has created and verified multiple YAFFS2 images for educational purposes...

More (viaforensics)

What is it like being a digital forensics investigator?

noreply@blogger.com (admin) — Fri, 24 Feb 2012 15:39:00 +0000

A little bit of fun before the weekend...

Thanks to everyone who entered the "What is it like being a digital forensics investigator?" competition and congratulations to Infern0 for the winning entry - watch the video here!

Another Judge Rules Encryption Passphrase not Testimonial Under Fifth Amendment Analysis

noreply@blogger.com (admin) — Wed, 22 Feb 2012 11:07:00 +0000

Posted by barristerharri

I previously discussed, on a bar association section blog in 2007 and 2009, the case of In re Boucher, where a U.S. judge for the District of Vermont ruled that requiring a criminal defendant to produce an unencrypted version of his laptop’s hard-drive, which was believed to contain child pornography, did not constitute compelled testimonial communication. The circuit court appeal in Boucher was dropped, but a new case has surfaced in the U.S. Court for the District of Colorado, United States v. Fricosu. There, a bank fraud defendant’s home was searched pursuant to a warrant, and a computer seized which held encrypted files. Further, Defendant provided evidence indicating her ownership computer, that she knew it was encrypted, and that it contained inculpatory evidence...

Read more

Interview with Yuri Gubanov, Founder of Belkasoft

noreply@blogger.com (admin) — Tue, 21 Feb 2012 13:12:00 +0000

Yuri is the founder of Belkasoft, an independent software vendor specializing in computer forensics and system software for the Windows and Mac OS platforms.

Yuri, can you tell us something about your background and who you are?

I have a degree in mathematics and software engineering. I graduated with honors from St-Petersburg State University, Mathematical and Mechanical faculty. This is one of the oldest and best universities in the second largest city in Russia, famous for its white nights in June when you can even read at night being outside...

Read more

Forensic Focus site redesign

noreply@blogger.com (admin) — Mon, 13 Feb 2012 11:28:00 +0000

A short advance warning that I'm planning to make some changes to the site design this evening. There won't be any major changes, just a refresh to give what I hope will be a cleaner, more professional look with somewhat less clutter than we have at the moment.

As a result of the above, expect the site to be offline for a few hours starting at around 7PM GMT (I'll try and keep downtime to a minimum).

Cheers,

Jamie

Harry Onderwater

noreply@blogger.com (admin) — Tue, 24 Jan 2012 12:18:00 +0000

A few days ago the Dutch forensics community - indeed, the wider forensics community - lost one of its founding fathers, Harry Onderwater.

Having worked for many years for the Dutch police in Amsterdam, Harry then moved to the Centrale Recherche Informatie Dienst (National Criminal Intelligence Service) where he became one of the first investigators in the newly emerging field of computer crime, building a reputation for excellence not just in the Netherlands but also further afield throughout Europe and the USA. Later in his career he became Corporate Security Manager at KPMG in the Netherlands where he also played a leading role in digital forensics.

It is difficult to describe Harry without resorting to cliché, but he truly was a larger than life character. Behind his imposing physical presence - which must surely have worked to his advantage in his many years on the force - lay a consummate professional and gentleman. Kind hearted, generous and possessing a wonderful sense of humour, Harry was always a joy to deal with. To the vast majority of those who met Harry through work, there is little doubt he will be remembered first and foremost as a friend rather than a colleague.

On a personal note, I would like to offer my sincere condolences to Harry's family and close friends. He has left us all too soon and will be deeply missed.

Bedankt, Harry, voor alles.

Jamie

Forensic Toolkit v3 Tips and Tricks ― Not on a Budget

noreply@blogger.com (admin) — Tue, 29 Nov 2011 16:01:00 +0000

by Sean L. Harrington

"A couple of weeks ago, Brian Glass posted a very helpful comment, Forensic Toolkit v3 Tips and Tricks — on a Budget. His comment focused on how to “get close to SSD performance on the cheap” and he discussed the practice of partitioning a large hard drive, but using only the outer sectors of the platter, and frequent defragmentation. In my comment, today, I want to encourage readers to adopt Glass’ advice, and, if you have the budget, to consider a few other enhancements to improve performance..."

Read more

Is your client an attorney? Be aware of possible constraints (Part 2)

noreply@blogger.com (admin) — Tue, 29 Nov 2011 16:01:00 +0000

by Sean L. Harrington

"In my first post several weeks ago, I discussed some of the special obligations that digital forensics investigators may have while in the employ of a lawyer. I elaborated briefly on the duty to zealously guard the attorney-client privilege, to correctly apply the work product doctrine, and to conduct investigations in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party. In this second part of the series, I will explore another important factor for consideration by examiners: the legality of investigative techniques..."

Read more

iPhone Tracking – from a forensic point of view

noreply@blogger.com (admin) — Tue, 29 Nov 2011 16:00:00 +0000

Posted by 4rensiker

"iPhoneTracking is sexy! Every mobile forensic suite, at least the ones dealing with iPhones, are providing it proudly. iPhoneTracking also has been a hot topic in the media all around the globe. People stated that there is a way to display every step of an iPhone user ever since the device got bought. Hmm...sounds great for all kind of investigations! Let’s see..."

Read more

Android Forensics Study of Password and Pattern Lock Protection

noreply@blogger.com (admin) — Tue, 29 Nov 2011 16:00:00 +0000

Posted by Oxygen Software

"Let’s see what Pattern Lock is, how to access, determine or even get rid of it? We’ll also speak about Password Lock Protection and find out what it has in common with Pattern Lock. And finally we’ll try to understand how these locks are related to forensic investigation process. Generally pattern lock is a set of gestures that phone user performs to unlock his smartphone when he needs to use it. It seems to be complicated, but actually it is not..."

Read more

Skype in eDiscovery

noreply@blogger.com (admin) — Tue, 29 Nov 2011 15:59:00 +0000

by Stuart Clarke, 7Safe

"The EDRM (Electronic Discovery Reference Model) is a widely accepted workflow, which guides those involved in eDiscovery. Typically, the identification and collection phases see email and common office documents harvested, but as technology moves forward is this enough? Many of us are experiencing a rise in audio discovery projects using solutions including phonetics and speech to text. In time this is likely to move onto rich media, in particular video. As a forensic analyst, I know only too well the variety of different data sources which are overlooked in electronic disclosure exercises, yet I appreciate the strong argument of proportionality. Nevertheless, it is relatively straightforward to circumvent some proportionality claims with the appropriate skill sets and techniques. Throughout this article I will discuss proof of concept solutions dealing with Skype in eDiscovery..."

Read more

Forensic Toolkit v3 Tips and Tricks – On a budget

noreply@blogger.com (admin) — Tue, 29 Nov 2011 15:59:00 +0000

Posted by Brian K. Glass

"While researching FTK 3X and Oracle, you just recently discovered that the best configuration of your Oracle database would be on a solid state drive (SSD). Solid state drives give the maximum level of performance to Oracle databases and in turn speed up your FTK 3X responsiveness. You are a conscientious analyst and decide to try reinstalling your database on a SSD. You approach your boss, who is not a techno geek, and ask him to purchase a 256GB high performance SSD..."

Read more

Anonymous, what does it mean?

noreply@blogger.com (admin) — Tue, 29 Nov 2011 15:58:00 +0000

Posted by forens245

"Anonymous, a word which Merriam-Webster describes as: of unknown authorship or origin, not named or identified, or lacking individuality, distinction, or recognizability. There are some in this world that wish to remain anonymous, not named or identified. Sure I am one of these people, but I have my reasons. With the work that I do, clinging to my anonymity is how I keep myself safe, out of harm’s way. There are many people that would like to see me hang for what I’ve uncovered about them..."

Read more

YouDetect – Implementing the principles of statistical classifiers and cluster analysis for the purposes of classifying illegally acquired multimedia files

noreply@blogger.com (admin) — Fri, 07 Oct 2011 15:28:00 +0000

Author: Jonathan Murphy, 7Safe

Whilst all instances of the illegal acquisition of multimedia are not known, it is not possible to gain a complete loss value, but a loss of $12.5 billion has been suggested by the IPI. Continued response as a means of protecting the media companies and the income they receive from legal sales continues as copyright enforcement attempts to eradicate illegal downloading. This is forcing those who support the legal downloading material to invent new and more creative means to adapt technology to achieve an end to their means. ‘YouTube Downloader’ (YTD) is a proof of concept which allows the user to download videos (of any nature) from a number of video streaming websites simply by entering the URL of the video they wish to download. Whilst the application is specifically named after the website, YouTube.com, videos from many other websites can be acquired in this manner. The software allows the user to convert this video to a variety of multimedia formats including .mp3 and .avi. The individual can then view on these files on any supporting media device or computer. In the case of copyrighted material, the individual who uploaded the material to YouTube in the first instance, as well as the individual who then ‘reproduced’ the material by extracting the video file have infringed on copyright law. As of September 2011, YTD has received approximately 85 million downloads via software download website, ‘CNET.com’ making it the most commonly used tool of its type by a significant margin. Yet, for something which significantly assists and supports illegal downloading and multimedia piracy so significantly, little has been done to develop a suitable response...

Read more

Advice for Digital Forensics Job Seekers

noreply@blogger.com (admin) — Fri, 07 Oct 2011 08:38:00 +0000

by Joe Alonzo

You see the job advertisements posted on the web everyday, Digital Forensics Analyst, Internet Investigator, Computer Forensic Associate. You hit the Apply Now button, often never hearing back from said company.

Your background may consist of computer programming/IT, network security or possibly even a background in law enforcement. You ask yourself, “How do I get the attention of this organization and get them to hire me?”

Working for the leader in Computer Forensics and eDiscovery recruiting and seeing all the good and bad candidates have done, I can give you some great insight on how to get your dream job...

Read more

Forensic Toolkit v3 Tips and Tricks – Re-indexing a case

noreply@blogger.com (admin) — Tue, 04 Oct 2011 11:56:00 +0000

by Brian K.Glass

This is the first in a series of articles that will cover topics concerning AccessData Forensic Toolkit (FTK) version 3.

So you’ve created a case in FTK 3.X / Oracle and added 20 forensic images of seized computers and assorted media which previously had been successfully processed and indexed. You’ve worked on this case for weeks, painstakingly searching and bookmarking thousands of keywords provided by Inspector R. Runner who has been investigating the Acme Corporation.

Monday morning you come to work and fire up your FTK cluster, open your case, go to Indexed Search, type in the keywords Wile E. Coyote and Ka-Blam!! You get an error message saying a Search Request Error has occurred (Figure 1.) What happened, it was working fine on Friday?

Read more

Is your client an attorney? Be aware of possible constraints on your investigation. (Part 1 of a multi-part series)

noreply@blogger.com (admin) — Thu, 29 Sep 2011 12:30:00 +0000

by Sean L. Harrington

Significant legal and ethical challenges confront digital forensics investigators, for which some may not be well prepared. Just as many lawyers may be confounded by technology in dealing with digital forensics matters, many digital forensics experts lack formal legal training, and are uninformed about their special obligations in the employ of a lawyer. These obligations include zealously guarding the attorney-client privilege, applying the work product doctrine, developing reports, exhibits, and testimony (that are both admissible and understandable to a lay jury or judge), and conducting their work in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party.
In certain situations, such as where digital forensics examiners serve as special masters (see Fed.R.Civ.P. 53) or third-party neutrals (see Model Rules of Prof’l Conduct R. 2.4 cmt. 1), they are regarded as officers of the court.

The use of a third-party neutral has significant advantages. See, e.g., Craig Ball, Neutral Examiners, Forensic Focus, http://www.forensicfocus.com/index.php?name=Content&pid=346. First, as an officer of the court, the expert is subject to the court’s inherent powers, thereby providing an extra measure of accountability for misconduct (e.g., confidentiality breaches). Second, a third-party neutral is ostensibly impartial, which impartiality presumptively aids in the fact-finding process and administration of justice. Third, the third-party neutral is aptly situated to resolve discovery disputes, including issues of confidentiality, relevance, and privilege, and, if necessary, obtain court intervention or in camera review to resolve such disputes.

But if the examiner is not appointed by the court, but rather is retained by a party to an adversarial proceeding, he or she is nevertheless obliged to ferret out the truth...

Read more

Publishing articles at Forensic Focus

noreply@blogger.com (admin) — Thu, 22 Sep 2011 17:09:00 +0000

Forensic Focus is always keen to publish articles, papers or blog posts of interest to the digital forensics community. Articles are published not only online but also included in the monthly newsletter (sent to over 12,00 subscribers) and promoted via our homepage/RSS feed, Twitter, LinkedIn and Facebook accounts.

This is an excellent way of raising your profile or promoting your blog and items for publication are welcome from anyone working or studying in the field.

To register as an author and start publishing at Forensic Focus, please use the form at http://articles.forensicfocus.com/contact/

What is “good enough” information security?

noreply@blogger.com (admin) — Mon, 19 Sep 2011 13:03:00 +0000

by Simon Biles

I have, occasionally in the past, mentored people in (on?) Information Security – once for money (this is not a revenue stream that I’ve mastered by any stretch of the imagination!), but more often than not, informally and infrequently. What there is in common with most people who are keen, but still a bit wet behind the ears, is an idealistic world view where Information Security, as a totality, can be obtained. It sometimes seems a bit like kicking a puppy to have to break it to people that, irregardless of how long, how much money and how much technology you throw at something, it will still have vulnerabilities and risks. Even the proverbial “unplug it, stick it in a safe and throw away the key” is still vulnerable. I’ve seen “Oceans 11″ – I know what can happen to a safe.

The reality is what we do for a living is to make security “good enough” – we are risk managers, risk mitigators, risk avoidance and risk acceptance professionals. We know what can happen, and then we decide if spending £x on it is worth it. Where we go wrong, inevitably, is that we sometimes have absolutely no idea about the value of the asset that we are protecting. How can you determine if a countermeasure or control is appropriate if you don’t know this figure? The real problem is that very often the business has no real idea either...

Read more

Obtaining Information from Mobile Devices in Criminal Investigations

noreply@blogger.com (admin) — Wed, 24 Aug 2011 13:20:00 +0000

by David W. Bennett

Mobile device forensics is the process of recovering digital evidence from a mobile device under forensically sound conditions and utilizing acceptable methods. Forensically sound is a term used in the digital forensics community to justify the use of a particular technology or methodology. Many practitioners use the term to describe the capabilities of a piece of software or forensic analysis approach (McKemmish, 3). Mobile devices vary in design and manufacturer. They are continually evolving as existing technologies progress and new technologies are introduced. It is important for forensics investigators to develop an understanding of the working components of a mobile device and the appropriate tasks to perform when they deal with them on a forensic basis. Knowledge of the various types of mobile devices and the features they possess is an important aspect of gathering information for a case since usage logs and other important data can potentially be acquired using forensics toolkits.

Mobile device forensics has expanded significantly over the past few years. Older model mobile phones could store a limited amount of data that could be easily obtained by the forensics investigator. With the development of the smartphone, a significant amount of information can still be retrieved from the device by a forensics expert; however the techniques to gather this information have become increasingly complicated...