Forensic Focus Blog

Interview with Robert Bond, Product Marketing Manager, Guidance Software

noreply@blogger.com (Jamie) — Thu, 21 Feb 2013 17:31:00 +0000

Robert, please tell us a little about yourself and your role at Guidance Software

I’m the new Product Marketing Manager of Forensic Solutions which includes EnCase Forensic, Encase Portable and Tableau products.

I have been in marketing for over 15 years with technology brands like Hewlett Packard, Kodak, and most recently in e-Discovery with Ricoh Legal.

Version 7 of EnCase introduced significant changes, the reaction to some of which was mixed within the forensic community. What kind of feedback did you receive from users?

For our customers who have been using EnCase, the new look of Version 7 was a bit of a transition and took some adjustment. For new users however, the interface is similar to the look and feel of other popular programs so we’ve seen the learning curve for users new to the software become shorter.

From a customer experience perspective, Guidance marketing and technical support has provided webinars and other tools to assist users in making a smooth transition. We believe their investment in getting comfortable with the new interface will increase their efficiency.

Further, as we have upgraded the software culminating with Version 7.05; we are learning that the increased speed of processing data and several of the new features including prioritized processing are dramatically helping our customers increase their productivity...

Read more

Internet Evidence Finder (IEF) review

noreply@blogger.com (Jamie) — Wed, 30 Jan 2013 16:41:00 +0000

Reviewed by BitHead (discussion thread here).

When this review started at the beginning of August 2012, Internet Evidence Finder (IEF) was a project of Jad Saliba of JADSoftware. At that time the version was 5.41.

The interface was simple, and IEF was an easy to use tool that found a lot of artifacts and displayed them in an easy to follow report.

In the middle of August I was contacted by Adam Belsher of JADSoftware and told there was going to be a few major changes coming to JADSoftware. A week later Saliba announced “JADsoftware has a new identity, including a new company name – Magnet Forensics.”

In his first blog post on the Magnet Forensics site, Saliba wrote, “A lot has changed since I launched JADsoftware and first developed Internet Evidence Finder (or IEF) while working as a police officer and forensic examiner. After a couple of years juggling both jobs, I realized IEF had enormous potential to help you perform better investigations, so I decided to dedicate myself to developing the software full-time. The growth the company has experienced since then has exceeded my highest expectations.”

And there were a lot more changes than just the name...

Read more

Interview with Eddie Sheehy, CEO, Nuix

noreply@blogger.com (Jamie) — Fri, 30 Nov 2012 14:19:00 +0000

Eddie, can you tell us something about your background and your current role as CEO of Nuix?

I joined Nuix as CEO in 2006 after working for quite a few high-growth finance and technology businesses. What I loved about Nuix was the precise detail the software could expose about the information it indexed. Having that degree of detail at scale could make a huge difference to the way an investigation played out.

After about a year with Nuix, it became clear to me we couldn’t take on Access Data and Guidance directly –they owned the forensic investigation market. So we expanded into eDiscovery, and later information governance, as a way of growing the business. In 2011, having reached a more tenable scale, we decided to go back into investigations. That has been one of the most satisfying aspects of my time at Nuix.

What products and solutions does Nuix offer?

Nuix offers products and solutions for forensic investigation, eDiscovery and information governance. There’s a fair amount of overlap between those categories, for instance our Enterprise Collection Center technology for gathering evidence in the field is used by investigators and for eDiscovery and our processing engine underpins all three verticals.

Indeed, at the heart of these products is our patent pending unstructured data indexing engine. The Nuix engine has unique load balancing, fault tolerance and intelligent processing technologies that enable it to process huge volumes of unstructured data at high speed and with forensic certainty...

Read more

Interview with Jonathan Krause, Managing Director, First Response

noreply@blogger.com (Jamie) — Wed, 14 Nov 2012 15:28:00 +0000

Jonathan, we last interviewed you back in 2008, what have you been doing since then?

In early 2008 I started Forensic Control after four years as a computer forensic employee. It began as a vehicle for my contract work but soon developed into a business in its own right, becoming relatively well known – albeit within the fairly small world of computer forensics! I moved further and further away from my roots in public sector work, and found myself really enjoying the faster pace and challenges in the corporate world; there was no going back for me. During this time I was fortunate enough to work on some very interesting cases including the Deepwater Horizon oil spill and the estate of Elvis Presley.

You recently became the Managing Director of First Response. Tell us more about the company and your involvement.

First Response was set up in January 2012, and at present is being run alongside Forensic Control. There are three joint owners of the company; myself, John Douglas and Bill Lindley. John (the Operations Director), Bill (the Chairman) and I bring together over 30 years’ experience of working in the industry. We decided to bring the forensic operations of our separate companies under one roof which was a natural progression for each of our companies. We think we complement each other very well! There’s some more background on First Response in the recent Forensic Focus news item.

I’ve known Bill and John professionally and socially for years; as well as offering what we believe is a first-class service, we enjoy our work and enjoy working with each other – for me, this is of fundamental importance.

In terms of my involvement, I’m a typical managing director/CEO though with a very much hands-on role. You’re as likely to find me imaging an unusual server configuration, analysing the content and reporting back to the client as much as dealing with the behind scenes management.

Can you give us some recent examples of cases First Response has worked on?

Sure. I think First Response’s main strength is in having both a great technical depth and an ability to communicate complex matters in a way that an average lawyer or director can easily understand and then act on. This helps our clients tremendously as it did in the two examples of cases I'll outline...

Read more

Webinar (online now): Pitfalls of Interpreting Forensic Artifacts in the Windows Registry

noreply@blogger.com (Jamie) — Thu, 01 Nov 2012 16:12:00 +0000

The webinar "Pitfalls of Interpreting Forensic Artifacts in the Windows Registry" is now online here.

If you encounter any difficulties viewing the above page, the webinar is also available on YouTube here.

In this webinar, Jacky Fox, student at UCD School of Computer Science and Informatics, presents the results of her dissertation on Windows Registry reporting. Jacky will be available in this forum thread for about an hour to answer any questions.

Guidance Software Releases EnCase® Forensic v7.05

noreply@blogger.com (Jamie) — Tue, 30 Oct 2012 15:22:00 +0000

Guidance Software Inc. has announced the release of EnCase® Forensic version 7.05. This latest version of the industry-standard forensics software features key enhancements that enable investigators to work with data sets earlier and faster in order to both begin and close cases faster than ever before. Speed enhancements in the EnCase Forensic v7.05 evidence processor have reduced significantly the processing time for both small and large data sets. Digital investigators can now rapidly process evidence files of virtually unlimited size, dramatically reducing case backlogs. With EnCase Forensic v7.05, investigators can uncover evidence up to nine times faster than previous versions using the greatly enhanced evidence processor...

EnCase Forensic v7.05 also improves investigative efficiency by automating common investigation tasks and significantly reducing manual efforts. Prioritized processing lets users process an early subset of evidence and make it available more quickly for analysis by investigators. They can also choose to continue or to stop processing remaining evidence. Enhancements to the analytic capabilities of the product’s built-in Case Analyzer offer forensic examiners deeper insight into computer systems through higher-level reports on metadata and the ability to compare potentially related artifacts side-by-side. Examiners can establish hyperlinks to original documents and images within reports. In addition, the results of a keyword search can be viewed and analyzed while that search is ongoing...

Read more

Webinar: Pitfalls of Interpreting Forensic Artifacts in the Windows Registry

noreply@blogger.com (Jamie) — Mon, 29 Oct 2012 15:29:00 +0000

In this webinar, Jacky Fox, student at UCD School of Computer Science and Informatics, presents the results of her dissertation on Windows Registry reporting - focusing on automating correlation and interpretation. After the webinar Jacky will be available in the Forensic Focus webinars forum to answer any questions.

Date: Thursday, November 1st 2012
Time: 12PM (midday) EDT US / 4PM GMT UK / 5PM CET Europe
Duration: 20 mins

There is no need to register for this webinar, simply visit http://www.forensicfocus.com/webinars at the above time (the webinar has been pre-recorded and will be archived for viewing later if you are unable to attend)

Interview with Lindy Sheppard, F3 (First Forensic Forum) Secretary

noreply@blogger.com (Jamie) — Tue, 09 Oct 2012 08:42:00 +0000

Lindy, tell us something about the cases you have been involved in.

I have been involved in quite a variety of cases, from counter terrorism to the importation of drugs, fraud, missing children and sadly, far too often, the abuse of children. Working alongside Tony Sammes has meant that I have been involved in many high profile and often ground breaking cases. It has always been good to see the outcome of a trial in the news and feel a sense of satisfaction at a job well done. Although not working on the technical side of the industry I have been the link between Tony and the case officer and/or OIC in far more cases than I can number - I do know that I have handled well in excess of 600 exhibits...

Read more

Interview with Philip Anderson, Senior Lecturer at Northumbria University

noreply@blogger.com (Jamie) — Thu, 13 Sep 2012 15:24:00 +0000

Philip, can you tell us something about your background and why you decided to teach digital forensics?

I graduated from Northumbria University with a BSc (Hons) in Business Information Technology in 1997 and gained an MSc in Distance Education with Athabasca University, Canada by distance learning in 2008.

After I graduated I started working at Northumbria University in a number of different IT Support/Developer roles for different departments within Northumbria University before becoming a Lecturer in 2001. I started teaching programming and also web design and development modules. It was in 2004 and 2005 alongside colleagues that we developed the undergraduate Computer Forensic degree. Once validated and in its first year I naturally changed to teach computer forensic modules (and more) as the degree progressed.

I have over seven years’ extensive teaching experience involving Guidance Software (i.e. EnCase) in taught computer forensic modules. I have also successfully worked in the field, on a number of different forensic examinations of digital media for external clients, involving examination, analysis and production of extensive reports.

I was appointed a European Network and Information Security Agency (ENISA) expert in 2010 for two years for identifying emerging and future ICT risks in the area of Information Security Risk Assessment and Management. I also served as a Special Constable with Durham Constabulary for over 14 years.

For me, the reason I chose and enjoy teaching digital forensics is my computing background and the application of that knowledge in conjunction with strong investigative skills...

Read more

Windows 8 Forensics webinar - alternative URL

noreply@blogger.com (Jamie) — Wed, 29 Aug 2012 15:58:00 +0000

Sincere apologies to anyone having difficulty connecting to the Meetingburner service to view the Windows 8 Forensics presentation - please try the following URL on YouTube instead:

http://youtu.be/uhCooEz9FQs

Josh is available in the webinars forum to answer any questions. Please go here if you would like to join in the discussion.

Additionally, a PDF with slides from the presentation can be downloaded here.

I will get these gremlins out of the system soon, I promise!

Jamie

JADsoftware - The Company Behind IEF - Re-Launches As Magnet Forensics Inc.

noreply@blogger.com (Jamie) — Tue, 28 Aug 2012 13:22:00 +0000

JADsoftware, the company behind the industry-leading digital forensics product Internet Evidence Finder (IEF), announced on Monday that they have re-launched the company under a new name - Magnet Forensics Inc.

“A lot has changed since I launched JADsoftware and first developed IEF while working as a police officer and forensic examiner,” said Jad Saliba, Founder and Chief Technology officer of Magnet Forensics.

“After a couple years juggling both jobs, I realized that IEF had tremendous potential to help forensics professionals perform better investigations, so I decided to dedicate myself to developing the software full-time,” Saliba explained. “We now have a team of talented individuals who are working around the clock to take IEF to the next level. The time felt right to transition to a name that better reflects what we do, which is help our customers get to key Internet evidence as quickly and easily as possible, among a proliferation of online data.”

Read more

Computer Analysts and Experts – Making the Most of GPS Evidence

noreply@blogger.com (Jamie) — Mon, 27 Aug 2012 16:15:00 +0000

by Professor David Last

The many companies that sell software for computer forensics have developed products for analysing satellite navigators. Police high tech crime units and independent laboratories now use this software on an industrial scale. Computer technicians conduct the analyses. This is home territory for them, since the biggest component of a vehicle satellite navigator is a computer, often running the Linux operating system, and with access via a USB connection or an SD card. The analysis software extracts addresses which it plots using tools such as Google Maps. Specialists extract similar data from satnavs built into vehicles.

But many investigating officers find the results disappointing: “it’s just a list of addresses!” Unlike CCTV, ANPR and witness evidence, there are rarely times or dates to fit into a chronology. And anyway, the addresses are simply destinations for planning routes. The defence will point out that no-one can say who entered them, or at what time on what date, or whether a route was planned to them, or whether the satnav ever went there, let alone in a specific vehicle driven by a their client!

Another problem is that the investigating officer may simply not be able to understand the data provided. What are all these addresses? Were they recorded by the device itself or input by a user? Was that inputting an intentional action? The sense of frustration is enhanced by the quality of reports generated by much commercial software. The best packages provide at least some explanation of the data they contain, the worst none at all. The technicians who conduct the analyses often have neither the time nor the training to help. This leaves the officer with the prospect of presenting and defending poorly understood data in court. Some just give up!

But the addresses may at least have intelligence value...

Read more

Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images

noreply@blogger.com (Jamie) — Fri, 24 Aug 2012 11:29:00 +0000

When the authors first published this paper, their intentions were to develop a comprehensive guide to digital forensic timelines in order to consolidate the many fragmented sources of information concerning this topic. What they discovered, however, was that quality references were often challenging to find among various books, papers, periodicals, filesystem specifications and source code.

While conducting their research, they found that practical tool-based solutions existed for generating digital forensic timelines, though they each had specific limitations. Thus, efforts were undertaken by the authors to provide an alternative timeline generation framework. Although some in the community had already proposed the use and generation of supertimelines, all too often important data sources were being left out. In order to rectify this, it became necessary to couple additional tools in order to provide maximum evidentiary extraction...

Read more

Webinar: Windows 8 Forensics - A First Look

noreply@blogger.com (Jamie) — Wed, 22 Aug 2012 14:35:00 +0000

Take a first look at Windows 8 forensics in a webinar presented by Josh Brunty, Assistant Professor of Digital Forensics at Marshall University. Learn about the changes in Windows 8 which forensic examiners should be aware of before this new OS is released to the public in October. After the webinar Josh will be available in the Forensic Focus forums to answer any questions.

Date: Wednesday, August 29 2012
Time: 11AM EDT US / 4PM BST UK / 15:00 GMT
Duration: 35 mins

Register today at http://forensicfocus.enterthemeeting.com/m/JXI8IWVX

Please share this invitation with any friends or colleagues who might also be interested, thank you.

Apple phones are AES-tough, says forensics expert

noreply@blogger.com (Jamie) — Fri, 17 Aug 2012 12:57:00 +0000

Monday's Technology Review carries a glowing tribute to Apple iPhone security according to its author, Simson Garfinkel, a contributing editor who works in computer forensics and is highly regarded as a leader in digital forensics. He says Apple has passed a threshold “Today the Apple iPhone 4S and iPad 3 are trustworthy mobile computing systems that can be used for mobile payments, e-commerce, and the delivery of high-quality paid programming,” thanks to Apple’s heavy investment in iPhone security. That is where “threshold” comes in. Apple has crossed it. Even law enforcement cannot perform forensic examinations of Apple devices seized from criminals, he said...

Read more (Phys.org)

Researchers Show How to Crack Android Encryption

noreply@blogger.com (Jamie) — Thu, 16 Aug 2012 11:21:00 +0000

As forensic examiners, some of the last things we want to hear are "encryption" and "enabled" in the same sentence, however that's what has been happening with the current line of Android devices. Starting with Android 3.0, devices have been shipping with the ability for the user to enable full device encryption. Fortunately for the forensic community, there are individuals steadfast to find a way to break that encryption - and have already proven how to do so. Two such researchers - Thomas Cannon and Seyton Bradford - have demonstrated successful brute force attacks against Android encryption. Thomas detailed their findings at DEF CON 2012 in his presentation "Into the Droid - Gaining Access to User Data"...

He discusses that the encryption uses standard Linux dm-crypt, incorporated in Android devices running version 3.0 and newer, and uses the same password to encrypt and decrypt data as is used to unlock or log in to the device. So while the encryption is generally considered strong, users default to using short or easy-to-type passwords and pins to protect their device and enable the encryption...

Read more

Forensic Examination of FrostWire version 5

noreply@blogger.com (Jamie) — Fri, 10 Aug 2012 15:53:00 +0000

As digital forensic practitioners, we are faced regularly with users utilizing the internet to swop and download copyrighted and contraband material. Peer to peer (P2P) applications are commonly used for this purpose, and like any software application, they are ever changing and ever evolving. This paper will discuss how the P2P software application, FrostWire v.5, functions and what artifacts can be found and examined for forensic purposes. The software application mentioned is one of the more popular P2P applications...

Read more

Book Review: Mastering Windows Network Forensics & Investigations

noreply@blogger.com (Jamie) — Wed, 01 Aug 2012 13:07:00 +0000

by Chad Tilbury

Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources. The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics. I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly. That said, the topics covered do not fit within the classical definition of network forensics. A more apt title might be Mastering Incident Response Forensics and Investigations.

This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing. The authors blended dense material with relevant examples and insightful and engaging text boxes. Some of my favorite “side” topics were:

“Cross-platform Forensic Artifacts”
“Registry Research”, illustrating the use of Procmon for application footprinting
“Time is of the Essence”, explaining fast forensics using event logs and the registry

The book begins with four chapters familiarizing the reader with Windows networking. While this may slow down those hungry for forensics topics, they are replete with information. Windows domains, hacking methodology, and Windows credentials are all described in these early chapters. Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise. While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks. It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts...

Read more

Introduction to Penetration Testing – Part 3a – Active Reconnaissance

noreply@blogger.com (Jamie) — Thu, 26 Jul 2012 15:52:00 +0000

by Si Biles, Thinking Security

Apologies in advance, this is a bit of a connective blog entry – this is a big topic, and it needs some scene setting, basic understanding and several weeks worth to get the most out of it.

We live in a connected world now – my other half was showing me a washing machine with a WiFi connection and an associated iPhone App that would allow you remote control of and reporting about your intimate garments spin cycle ! I wonder if that is really necessary to be honest, as even if it has finished, knowing that while I’m in the office and the washing machine is at home is a complete waste of electrons.

The network, and the connected nature of things is what allows us as penetration testers to attempt to compromise the security of a company without going anywhere near it. There are other aspects to full scale penetration testing as I’ve alluded to before – with social engineering and physical attack ( lock picking, not baseball bat ) parts of such a scope – but a majority of the work is computer and network based.

To that end, a good understanding and working knowledge of networking is pretty much a job pre-requisite. So, rather than giving you a lesson myself, I’ll give you a quick and dirty set of online references – this won’t make you an expert by any stretch of the imagination, but hopefully it will get us through the rest of this section without too much head scratching.¹

I would apologise for the laziness on my part, however I subscribe to Larry Wall’s school of thought that it is a virtue – if someone else has done it well enough already, why spend time re-inventing the wheel. The corollary of that is, if you find that there isn’t a good explanation of something in that set that you’d like to understand better – add a comment on the bottom of this post and we’ll bring it up to scratch ( perhaps both here and at Wikipedia ).

So seing as you all now fully understand TCP/IP packet structure and know your URG from your SYN …

Read more

Authenticating Internet Web Pages as Evidence: a New Approach

noreply@blogger.com (Jamie) — Tue, 24 Jul 2012 14:08:00 +0000

By John Patzakis [1] and Brent Botta [2]

Previously, in Forensic Focus, we addressed the issue of evidentiary authentication of social media data (see previous entries here and here). General Internet site data available through standard web browsing, instead of social media data provided by APIs or user credentials, presents slightly different but just as compelling challenges, which are outlined below. To help address these unique challenges, we are introducing and outlining a specified technical process to authenticate collected “live” web pages for investigative and judicial purposes.[3] We are not asserting that this process must be adopted as a universal standard and recognize that there may be other valid means authenticate website evidence. However, we believe that the technical protocols outlined below can be a very effective means to properly authenticate and verify evidence collected from websites while at the same time facilitating an automated and scalable digital investigation workflow.

Legal Authentication Requirements

The Internet provides torrential amounts of evidence potentially relevant to litigation matters, with courts routinely facing proffers of data preserved from various websites. This evidence must be authenticated in all cases, and the authentication standard is no different for website data or chat room evidence than for any other. Under US Federal Rule of Evidence 901(a), “The requirement of authentication … is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” United States v. Simpson, 152 F.3d 1241, 1249 (10th Cir. 1998).

Ideally, a proponent of the evidence can rely on uncontroverted direct testimony from the creator of the web page in question. In many cases, however, that option is not available. In such situations, the testimony of the viewer/collector of the Internet evidence “in combination with circumstantial indicia of authenticity (such as the dates and web addresses), would support a finding” that the website documents are what the proponent asserts. Perfect 10, Inc. v. Cybernet Ventures, Inc. (C.D.Cal.2002) 213 F.Supp.2d 1146, 1154. (emphasis added) (See also, Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, 546 (D.Md. May 4, 2007) (citing Perfect 10, and referencing MD5 hash values as an additional element of potential “circumstantial indicia” for authentication of electronic evidence)...

Read more

"Finding Evidence in an Online World" webinar recording and PDF now available

noreply@blogger.com (Jamie) — Thu, 19 Jul 2012 15:24:00 +0000

A recording of this week's webinar "Finding Evidence in an Online World - Trends and Challenges in Digital Forensics" is now available here and on YouTube here.

Sincere thanks to Jad Saliba for agreeing to re-record the presentation yesterday as a result of the audio issues we experienced during the live version. Also, a number of people requested a PDF version of the slides and Jad has kindly made that available here.

A free trial of IEF (the software used in the presentation) is available at http://www.jadsoftware.com/trial and for details of a 10% discount available until August 1st 2012 please contact sales@jadsoftware.com

Retrieving Digital Evidence: Methods, Techniques and Issues

noreply@blogger.com (Jamie) — Sat, 14 Jul 2012 19:20:00 +0000

by Yuri Gubanov yug@belkasoft.com
Belkasoft Ltd. http://belkasoft.com

This article describes the various types of digital forensic evidence available on users’ PC and laptop computers, and discusses methods of retrieving such evidence.

A recent research conducted by Berkeley scientists concluded that up to 93% of all information never leaves the digital domain. This means that the majority of information is being created, modified and consumed entirely in digital form. Most spreadsheets and databases never make it on paper, and most digital snapshots never get printed. There are many activities such as chats and social networking that are specific to digital and are even unimaginable outside of the virtual realm.

Most such activities leave definite traces, allowing investigators to obtain essential evidence, solve criminal cases and prevent crimes. This article discusses the many types of digital evidence produced by a typical computer user, criminal or not, and demonstrates methods and techniques available to extract that evidence out of the original PC and into the hands of a forensic investigator...

Read more

Parallels hard drive image converting for analysis

noreply@blogger.com (Jamie) — Fri, 13 Jul 2012 16:41:00 +0000

by zoltanszabodfw

The other day, talking to one of the analysts in Dallas, a question emerged about analyzing Parallels’ virtual machine hard drives. To my surprise, I did not find many help on this issue on-line and did not find tools that would interpret the file system in Parallels’ hard drive images. The simplest way I wanted to approach this issue is by converting the hard drive image to something simpler like a dd image. I found a very nice article on how to convert to a plain hard drive image using Parallels Image Tool that comes with Parallels Desktop( http://digfor.blogspot.com/2009/08/mounting-parallels-hdd-and-hds-files.html), but I had no access to a Mac and wanted to see if there is a way to do this on Windows. There was VMware vCenter Converter ( free software – http://www.vmware.com/products/converter ), but it did not by giving a message the it could not recognized it. I also found an interesting tool MakeVM – http://www.sysdevsoftware.com/soft/makevm.php that looked very promising, but the demo version would not convert an image size larger than 2GB. So, I wanted to look further into other options. This article is about the findings of that “journey”.

Parallels Workstation comes with a few command line tools for basic drive manipulation like prl_disk_tool or prl_conver, but the best converter, I found, is the latest Open Source project QEMU.
Qemu-1.0.1-windows.zip - http://lassauge.free.fr/qemu/

One of the utilities in QEMU is qemu-img where the help file reveals the value of this simple utility, when it comes to converting image types. The latest version just added the parallels’ image format support. “Supported formats: blkdebug blkverify bochs cloop cow dmg nbd parallels qcow qco w2 qed host_device file raw sheepdog vdi vmdk vpc vvfat”

Step 1. I have downloaded Parallels Workstation trail version to create a virtual machine for testing and to make sure my findings will be applicable to the latest version of Parallels.

Parallels Workstation Build 6.0.13976
( Revision 769982; June 8, 2012 )

Step 2. Created a virtual machine ( Windows 2008 Server ) with a 20GB hard drive.
Step 3. Used qemu-img utility to convert the image into a raw image
qemu-img.exe convert -f parallels -O raw “Windows Server 2008-0.hdd.copy.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds” f:\temp\otput.dd
Step 4. Opened the image in FTK Imager to analyze the data

Parallels converted hard drive image in FTK Imager

Introduction to Penetration Testing – Part 2 – The Discovery Phase – Passive Reconnaissance

noreply@blogger.com (Jamie) — Wed, 11 Jul 2012 10:27:00 +0000

by Si Biles ( @si_biles ), consultant for Thinking Security

PenTest, like forensics, is almost as much an art as it is a science – you can only be taught so far, technical techniques and tools are all very well, but you really need a mind that can think sideways and approach a task from as many angles as possible. The ex-LE forensicators have this skill in spades – the data that is potentially available during an investigation includes interviews, statements, crime scene photos and all matter of collected evidence – in the commercial world there is less available, but still I’m confident that you’ll all have your sources. PenTest is much the same, the more that we can know about a potential target before we even fire up NMap¹, the further we will get.

The title of this segment is “Passive Reconnaissance” – that’s not to say that you don’t have to do anything during this phase and that it all comes to you – it’s about obtaining information which is already in the public domain – not necessarily deliberately – and is related to the target.²

There isn’t really anything, at this stage, that we aren’t interested in – collect all the information you can – we can whittle it down to pertinent facts as we go along³.

Right then – where to start ? Well, let’s start to build a picture of our target. Let’s have a look at their domain:

si$ whois google.co.uk

Domain name:

google.co.uk

Registrant:

Google Inc.

Registrant type:

Unknown

Registrant's address:

1600 Amphitheatre Parkway

Mountain View

CA

94043

United States

Registrar:

Markmonitor Inc. t/a Markmonitor [Tag = MARKMONITOR]

URL: http://www.markmonitor.com

Relevant dates:

Registered on: 14-Feb-1999

Expiry date: 14-Feb-2013

Last updated: 10-Feb-2011

Registration status:

Registered until expiry date.

Name servers:

ns1.google.com

ns2.google.com

ns3.google.com

ns4.google.com

WHOIS lookup made at 23:20:53 03-Jul-2012

--

Ok, so we have a home address for our company – this example isn’t the most detailed, but you can often glean names, e-mail addresses and phone numbers from a whois lookup. It’s good if you can get an e-mail address – these will start to give you an idea of what the common format is that is used within the company – e.g. first initial last name (sbiles) or first name.last name (simon.biles) or if there is a complicator (simon.biles100) [incidentally these are all real addresses at various organisations I've worked at]. Remember this, it will come in useful later.

If we have a look at the website of our target itself, it is most likely that there will be good information there too – names, addresses, phone-numbers and e-mails are all good. Also, look out for support contact details, FTP site details and logins for example, social networking links etc. All of this is grist to the mill – potential routes of later attack, sources for social engineering, logins to systems that will get you past the first line of defence. Take a note of product names as well, these are often used as “guest” login details for FTP sites too – “producttrial” as both the username and password for example – for sales staff to use with customers. If you are planning a social engineering phase, it can be beneficial to take copies of web-pages ( faking a login page ), logos ( faking business cards and documents ) and other official looking documents and marketing material – I personally dislike performing social engineering, it’s often the easiest way to get into somewhere – if you are going to do it, make sure that you agree with your client in advance that there will be no repercussions for any member of staff that you succeed in manipulating, and that anonymity will be preserved – it could be an unlucky ring of the phone that costs someone their job otherwise.

Where next ? Google. Google is your friend – it is one of the most amazing tools available, not only having a huge index of things that are current, but also cached copies of things that might not be so current. Googling well is a skill, not unlike that of writing search queries for Forensic searches – just Google is a lot faster than EnCase or FTK over a much bigger data set...

Read more

Interview with John H. Riley, Bloomsburg University of Pennsylvania

noreply@blogger.com (Jamie) — Thu, 05 Jul 2012 12:37:00 +0000

John, can you tell us something about your background and why you decided to teach digital forensics?

First, thanks for the opportunity to discuss our program. We're really proud of what we've accomplished here and believe we're contributing to the digital forensics community. I started as a mathematician (Ph.D., University of Connecticut, 1980) and then began to teach computer science as well as mathematics in the 1980s. I wrote two programming textbooks (Pascal, for the old timers). About six or seven years ago, my department was investigating majors that would be good for students. We decided upon computer forensics. It is an interesting, useful field of study that has worked really well for us and our students.

On the intellectual side, I find the whole issue of what information can be found and how it can be used to build a story quite fascinating. "Story" here means a narrative that shows what happened, in a rigorous sense (a la a mathematician's proof). As a professor, it's really fun to work with digital forensics students. Our curriculum has a lot of hands on work so we see our students really digging into things. The ultimate reward is seeing them graduate and begin work. I must note that I've had really great colleagues, particularly Scott Inch, to work with. I also am grateful to the larger forensics community for their help.

What digital forensic courses are currently offered by Bloomsburg University?

Introduction to Digital Forensics, File Systems 1 and 2, Digital Forensics Software, Advanced Topics in Digital Forensics, Small Devices Forensics, UNIX/Linux for Digital Forensics.

Tell us more about course structure and content. What core knowledge and key skills should students gain by the end of their studies?

The first five courses listed above (along with some computer science and other courses) form the backbone of our major. They cover the artifacts that can be found on a computer (and how they come to be), how the artifacts can be extracted in a forensically sound manner and how they can be linked together and presented or reported. As an example, students know why a deleted file may or may not be able to be recovered, how to use a tool like EnCase or FTK (or even a hex editor) to recover it, how it might be related to a link file or a registry entry, how to ensure its integrity after extraction using a hash function and how to include it in a report. We stress the importance of knowing how the computer is organizing files and generating artifacts so that what a tool produces is understood. Our graduates are prepared to defend their results. We also put this work in context. It's not just finding a deleted file, it's finding evidence which may change a person's life. So beyond knowledge and skills, we foster a sense of responsibility and integrity...

Read more at http://www.forensicfocus.com/c/aid=46/interviews/2012/john-h-riley-bloomsburg-university-of-pennsylvania/