Forensic Focus Blog

Harry Onderwater

noreply@blogger.com (admin) — Tue, 24 Jan 2012 12:18:00 +0000

A few days ago the Dutch forensics community - indeed, the wider forensics community - lost one of its founding fathers, Harry Onderwater.

Having worked for many years for the Dutch police in Amsterdam, Harry then moved to the Centrale Recherche Informatie Dienst (National Criminal Intelligence Service) where he became one of the first investigators in the newly emerging field of computer crime, building a reputation for excellence not just in the Netherlands but also further afield throughout Europe and the USA. Later in his career he became Corporate Security Manager at KPMG in the Netherlands where he also played a leading role in digital forensics.

It is difficult to describe Harry without resorting to cliché, but he truly was a larger than life character. Behind his imposing physical presence - which must surely have worked to his advantage in his many years on the force - lay a consummate professional and gentleman. Kind hearted, generous and possessing a wonderful sense of humour, Harry was always a joy to deal with. To the vast majority of those who met Harry through work, there is little doubt he will be remembered first and foremost as a friend rather than a colleague.

On a personal note, I would like to offer my sincere condolences to Harry's family and close friends. He has left us all too soon and will be deeply missed.

Bedankt, Harry, voor alles.

Jamie

Forensic Toolkit v3 Tips and Tricks ― Not on a Budget

noreply@blogger.com (admin) — Tue, 29 Nov 2011 16:01:00 +0000

by Sean L. Harrington

"A couple of weeks ago, Brian Glass posted a very helpful comment, Forensic Toolkit v3 Tips and Tricks — on a Budget. His comment focused on how to “get close to SSD performance on the cheap” and he discussed the practice of partitioning a large hard drive, but using only the outer sectors of the platter, and frequent defragmentation. In my comment, today, I want to encourage readers to adopt Glass’ advice, and, if you have the budget, to consider a few other enhancements to improve performance..."

Read more

Is your client an attorney? Be aware of possible constraints (Part 2)

noreply@blogger.com (admin) — Tue, 29 Nov 2011 16:01:00 +0000

by Sean L. Harrington

"In my first post several weeks ago, I discussed some of the special obligations that digital forensics investigators may have while in the employ of a lawyer. I elaborated briefly on the duty to zealously guard the attorney-client privilege, to correctly apply the work product doctrine, and to conduct investigations in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party. In this second part of the series, I will explore another important factor for consideration by examiners: the legality of investigative techniques..."

Read more

iPhone Tracking – from a forensic point of view

noreply@blogger.com (admin) — Tue, 29 Nov 2011 16:00:00 +0000

Posted by 4rensiker

"iPhoneTracking is sexy! Every mobile forensic suite, at least the ones dealing with iPhones, are providing it proudly. iPhoneTracking also has been a hot topic in the media all around the globe. People stated that there is a way to display every step of an iPhone user ever since the device got bought. Hmm...sounds great for all kind of investigations! Let’s see..."

Read more

Android Forensics Study of Password and Pattern Lock Protection

noreply@blogger.com (admin) — Tue, 29 Nov 2011 16:00:00 +0000

Posted by Oxygen Software

"Let’s see what Pattern Lock is, how to access, determine or even get rid of it? We’ll also speak about Password Lock Protection and find out what it has in common with Pattern Lock. And finally we’ll try to understand how these locks are related to forensic investigation process. Generally pattern lock is a set of gestures that phone user performs to unlock his smartphone when he needs to use it. It seems to be complicated, but actually it is not..."

Read more

Skype in eDiscovery

noreply@blogger.com (admin) — Tue, 29 Nov 2011 15:59:00 +0000

by Stuart Clarke, 7Safe

"The EDRM (Electronic Discovery Reference Model) is a widely accepted workflow, which guides those involved in eDiscovery. Typically, the identification and collection phases see email and common office documents harvested, but as technology moves forward is this enough? Many of us are experiencing a rise in audio discovery projects using solutions including phonetics and speech to text. In time this is likely to move onto rich media, in particular video. As a forensic analyst, I know only too well the variety of different data sources which are overlooked in electronic disclosure exercises, yet I appreciate the strong argument of proportionality. Nevertheless, it is relatively straightforward to circumvent some proportionality claims with the appropriate skill sets and techniques. Throughout this article I will discuss proof of concept solutions dealing with Skype in eDiscovery..."

Read more

Forensic Toolkit v3 Tips and Tricks – On a budget

noreply@blogger.com (admin) — Tue, 29 Nov 2011 15:59:00 +0000

Posted by Brian K. Glass

"While researching FTK 3X and Oracle, you just recently discovered that the best configuration of your Oracle database would be on a solid state drive (SSD). Solid state drives give the maximum level of performance to Oracle databases and in turn speed up your FTK 3X responsiveness. You are a conscientious analyst and decide to try reinstalling your database on a SSD. You approach your boss, who is not a techno geek, and ask him to purchase a 256GB high performance SSD..."

Read more

Anonymous, what does it mean?

noreply@blogger.com (admin) — Tue, 29 Nov 2011 15:58:00 +0000

Posted by forens245

"Anonymous, a word which Merriam-Webster describes as: of unknown authorship or origin, not named or identified, or lacking individuality, distinction, or recognizability. There are some in this world that wish to remain anonymous, not named or identified. Sure I am one of these people, but I have my reasons. With the work that I do, clinging to my anonymity is how I keep myself safe, out of harm’s way. There are many people that would like to see me hang for what I’ve uncovered about them..."

Read more

YouDetect – Implementing the principles of statistical classifiers and cluster analysis for the purposes of classifying illegally acquired multimedia files

noreply@blogger.com (admin) — Fri, 07 Oct 2011 15:28:00 +0000

Author: Jonathan Murphy, 7Safe

Whilst all instances of the illegal acquisition of multimedia are not known, it is not possible to gain a complete loss value, but a loss of $12.5 billion has been suggested by the IPI. Continued response as a means of protecting the media companies and the income they receive from legal sales continues as copyright enforcement attempts to eradicate illegal downloading. This is forcing those who support the legal downloading material to invent new and more creative means to adapt technology to achieve an end to their means. ‘YouTube Downloader’ (YTD) is a proof of concept which allows the user to download videos (of any nature) from a number of video streaming websites simply by entering the URL of the video they wish to download. Whilst the application is specifically named after the website, YouTube.com, videos from many other websites can be acquired in this manner. The software allows the user to convert this video to a variety of multimedia formats including .mp3 and .avi. The individual can then view on these files on any supporting media device or computer. In the case of copyrighted material, the individual who uploaded the material to YouTube in the first instance, as well as the individual who then ‘reproduced’ the material by extracting the video file have infringed on copyright law. As of September 2011, YTD has received approximately 85 million downloads via software download website, ‘CNET.com’ making it the most commonly used tool of its type by a significant margin. Yet, for something which significantly assists and supports illegal downloading and multimedia piracy so significantly, little has been done to develop a suitable response...

Read more

Advice for Digital Forensics Job Seekers

noreply@blogger.com (admin) — Fri, 07 Oct 2011 08:38:00 +0000

by Joe Alonzo

You see the job advertisements posted on the web everyday, Digital Forensics Analyst, Internet Investigator, Computer Forensic Associate. You hit the Apply Now button, often never hearing back from said company.

Your background may consist of computer programming/IT, network security or possibly even a background in law enforcement. You ask yourself, “How do I get the attention of this organization and get them to hire me?”

Working for the leader in Computer Forensics and eDiscovery recruiting and seeing all the good and bad candidates have done, I can give you some great insight on how to get your dream job...

Read more

Forensic Toolkit v3 Tips and Tricks – Re-indexing a case

noreply@blogger.com (admin) — Tue, 04 Oct 2011 11:56:00 +0000

by Brian K.Glass

This is the first in a series of articles that will cover topics concerning AccessData Forensic Toolkit (FTK) version 3.

So you’ve created a case in FTK 3.X / Oracle and added 20 forensic images of seized computers and assorted media which previously had been successfully processed and indexed. You’ve worked on this case for weeks, painstakingly searching and bookmarking thousands of keywords provided by Inspector R. Runner who has been investigating the Acme Corporation.

Monday morning you come to work and fire up your FTK cluster, open your case, go to Indexed Search, type in the keywords Wile E. Coyote and Ka-Blam!! You get an error message saying a Search Request Error has occurred (Figure 1.) What happened, it was working fine on Friday?

Read more

Is your client an attorney? Be aware of possible constraints on your investigation. (Part 1 of a multi-part series)

noreply@blogger.com (admin) — Thu, 29 Sep 2011 12:30:00 +0000

by Sean L. Harrington

Significant legal and ethical challenges confront digital forensics investigators, for which some may not be well prepared. Just as many lawyers may be confounded by technology in dealing with digital forensics matters, many digital forensics experts lack formal legal training, and are uninformed about their special obligations in the employ of a lawyer. These obligations include zealously guarding the attorney-client privilege, applying the work product doctrine, developing reports, exhibits, and testimony (that are both admissible and understandable to a lay jury or judge), and conducting their work in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party.
In certain situations, such as where digital forensics examiners serve as special masters (see Fed.R.Civ.P. 53) or third-party neutrals (see Model Rules of Prof’l Conduct R. 2.4 cmt. 1), they are regarded as officers of the court.

The use of a third-party neutral has significant advantages. See, e.g., Craig Ball, Neutral Examiners, Forensic Focus, http://www.forensicfocus.com/index.php?name=Content&pid=346. First, as an officer of the court, the expert is subject to the court’s inherent powers, thereby providing an extra measure of accountability for misconduct (e.g., confidentiality breaches). Second, a third-party neutral is ostensibly impartial, which impartiality presumptively aids in the fact-finding process and administration of justice. Third, the third-party neutral is aptly situated to resolve discovery disputes, including issues of confidentiality, relevance, and privilege, and, if necessary, obtain court intervention or in camera review to resolve such disputes.

But if the examiner is not appointed by the court, but rather is retained by a party to an adversarial proceeding, he or she is nevertheless obliged to ferret out the truth...

Read more

Publishing articles at Forensic Focus

noreply@blogger.com (admin) — Thu, 22 Sep 2011 17:09:00 +0000

Forensic Focus is always keen to publish articles, papers or blog posts of interest to the digital forensics community. Articles are published not only online but also included in the monthly newsletter (sent to over 12,00 subscribers) and promoted via our homepage/RSS feed, Twitter, LinkedIn and Facebook accounts.

This is an excellent way of raising your profile or promoting your blog and items for publication are welcome from anyone working or studying in the field.

To register as an author and start publishing at Forensic Focus, please use the form at http://articles.forensicfocus.com/contact/

What is “good enough” information security?

noreply@blogger.com (admin) — Mon, 19 Sep 2011 13:03:00 +0000

by Simon Biles

I have, occasionally in the past, mentored people in (on?) Information Security – once for money (this is not a revenue stream that I’ve mastered by any stretch of the imagination!), but more often than not, informally and infrequently. What there is in common with most people who are keen, but still a bit wet behind the ears, is an idealistic world view where Information Security, as a totality, can be obtained. It sometimes seems a bit like kicking a puppy to have to break it to people that, irregardless of how long, how much money and how much technology you throw at something, it will still have vulnerabilities and risks. Even the proverbial “unplug it, stick it in a safe and throw away the key” is still vulnerable. I’ve seen “Oceans 11″ – I know what can happen to a safe.

The reality is what we do for a living is to make security “good enough” – we are risk managers, risk mitigators, risk avoidance and risk acceptance professionals. We know what can happen, and then we decide if spending £x on it is worth it. Where we go wrong, inevitably, is that we sometimes have absolutely no idea about the value of the asset that we are protecting. How can you determine if a countermeasure or control is appropriate if you don’t know this figure? The real problem is that very often the business has no real idea either...

Read more

Obtaining Information from Mobile Devices in Criminal Investigations

noreply@blogger.com (admin) — Wed, 24 Aug 2011 13:20:00 +0000

by David W. Bennett

Mobile device forensics is the process of recovering digital evidence from a mobile device under forensically sound conditions and utilizing acceptable methods. Forensically sound is a term used in the digital forensics community to justify the use of a particular technology or methodology. Many practitioners use the term to describe the capabilities of a piece of software or forensic analysis approach (McKemmish, 3). Mobile devices vary in design and manufacturer. They are continually evolving as existing technologies progress and new technologies are introduced. It is important for forensics investigators to develop an understanding of the working components of a mobile device and the appropriate tasks to perform when they deal with them on a forensic basis. Knowledge of the various types of mobile devices and the features they possess is an important aspect of gathering information for a case since usage logs and other important data can potentially be acquired using forensics toolkits.

Mobile device forensics has expanded significantly over the past few years. Older model mobile phones could store a limited amount of data that could be easily obtained by the forensics investigator. With the development of the smartphone, a significant amount of information can still be retrieved from the device by a forensics expert; however the techniques to gather this information have become increasingly complicated...

An in-depth analysis of the cold boot attack: Can it be used for sound forensic memory acquisition?

noreply@blogger.com (admin) — Tue, 23 Aug 2011 17:13:00 +0000

by Richard Carbone

The purpose of this technical memorandum is to examine the technical characteristics behind the cold boot attack technique and to understand when and how this technique should be applied to the field of computer forensic investigations. Upon thorough examination of the technique, the authors highlight its advantages, drawbacks, applicability and appropriateness for use in the acquisition of computer memory contents. The original cold boot attack paper, as conducted by a team of students and researchers in 2008, demonstrated the usefulness of computer memory remanence and how this phenomenon could be used to defeat popular disk encryptions tools and other data hiding techniques necessary for the safe storage of secret data and information. However, the technique is not a panacea and has many drawbacks dictated by the laws of physics, which cannot be overcome by the technique...

Read more at http://articles.forensicfocus.com/2011/08/21/an-in-depth-analysis-of-the-cold-boot-attack-can-it-be-used-for-sound-forensic-memory-acquisition/

Google History Forensics

noreply@blogger.com (admin) — Mon, 22 Aug 2011 10:41:00 +0000

by Craig Ball

About the Author

Craig Ball is a Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery.

In my last Forensic Focus column, I touched on migration to handhelds and the cloud, mushrooming drive capacities and encryption-by-default as just some of the factors auguring the eventual extinction of conventional digital forensics. But an end to old school digital forensics is no threat to examiners who evolve. There will be plenty to do for those adapting their skills and tools to new sources and forms of information. We will learn to read new tea leaves.

Happily, for every source of forensically-rich information that fades away, others emerge. For every MacBook configured to wipe deleted data, there’s an iPhone storing screenshots and typed text. When webmail shooed away some of our ability to locate messaging artifacts, social networking and geolocation wandered in with stories to tell.

Now and then, the emergent sources just seem too good to be true.

Case in point: Google History.

Certainly, forensic analysts routinely look at Google searches locally; parsing Internet activity to assess what the user searched and surfed: “Nude children.” “How to make chloroform.” “Wipe a hard drive.” It’s compelling evidence.

But, as users grow savvy about covering their tracks, we see more cache deletion and deployment of antiforensic “privacy” tools designed to deprive us of the low-lying fruit. It’s potentially “spoliation” on the civil side and “obstruction of justice” on the criminal side. On both sides, proving it helps justice be done.

Then again, data can disappear innocently, too. Oliver Wendell Holmes, Jr., observed that, “Even a dog distinguishes between being stumbled over and being kicked." Discerning evil intent—mens rea in the law—is crucial to deciding whether and how much to punish actions that result in lost evidence. One way we demonstrate intent is by showing the planning that preceded an act. We reasonably infer intent to destroy evidence from web searches seeking ways to make evidence disappear.

But what do you do when the data destroyed is the evidence of intent in its destruction?

Important Changes to "Articles & Papers" Section

noreply@blogger.com (admin) — Fri, 29 Jul 2011 13:38:00 +0000

From today, the section where we display user submitted articles and research papers is changing significantly. Users will now be able to upload, edit and publish their own articles.

The URL for the new section is http://articles.forensicfocus.com/

If you would like to submit an article or paper please email admin@forensicfocus.com so that we can start the process of setting you up with an account (separate from your normal Forensic Focus account).

Interview with Scott Burkeman, Warner Scott Recruitment

noreply@blogger.com (admin) — Wed, 29 Jun 2011 11:43:00 +0000

Scott is a Director at Warner Scott Recruitment in London, specialising in computer forensics recruitment throughout the UK and abroad.

Forensic Focus: Can you tell us something about your background? How did Warner Scott Recruitment come into being?

Scott Burkeman: I have been involved in Forensic Technology and Fraud recruitment for over a decade, working for an international recruitment firm and more recently with Warner Scott. I initially began placing Senior Forensic Accounting professionals prior to the boom in Computer Forensics. Many of my clients were looking to develop Computer Forensic teams from scratch and asked me to get involved in the recruitment of Forensic Technology candidates to assist in their growth plans. Since then, the rest is history!

Warner Scott Recruitment was set up in 2006 as a specialist recruitment consultancy with the vision of developing long-standing, meaningful relationships with both our candidates and clients. We have a strong focus on the Computer Forensic and eDiscovery market and are one of only a handful of specialist consultancies that have a dedicated team focusing in this area.

Many of the candidates we have placed over the years are now our clients and vice versa. We pride ourselves in our market knowledge, deep relationships and a strong understanding of the markets we operate in. We are fortunate enough to work on many roles on an exclusive basis as our clients trust us enough to find the best people in the market.

The Computer Forensic area is an extremely unique market to operate within and has some wonderful characters and personalities that make this area a pleasure to work in.

Forensic Focus: What services do you offer to digital forensics jobseekers?

Scott Burkeman: We are more than just a recruitment firm. As well as placing candidates into roles, we offer career advice and counselling, coaching, CV advice, interview tips and much more. As mentioned above, we are keen to develop long term relationships with our candidates, so if anyone fancies a chat about the state of the market, is looking to benchmark their salary or just wants some career advice, please do not hesitate to call us, or pop in to see us for a coffee and chat.

Forensic Focus: What is the current state of the digital forensics job market? Which sectors are hiring?

Scott Burkeman: The market has been up and down in recent years, which has been characterised by the state of the wider economy. With the government cuts in public spending, there has been much uncertainty within the public sector, which has resulted in some redundancies. Many private sector companies which previously had large government contracts have had to adapt and change to accommodate the loss of work.

However, the eDiscovery & Litigation Support market continues to remains buoyant as well as the Data Analytics arena. The large consultancy firms and international boutiques are still hiring the best candidates and increasingly Banks and Corporates are approaching us to help fill in-house Investigations roles.

With the increase of Anti Money Laundering (AML) projects and the introduction of the Anti Bribery & Corruption Act this year, the demand for Forensic Technology experts with strong corporate investigations experience remains high...

Scott Moulton’s “5-Day Data Recovery Expert Certification” Course

noreply@blogger.com (admin) — Tue, 24 May 2011 13:37:00 +0000

reviewed by by Karlo Arozqueta

http://www.myharddrivedied.com/data-recovery-training

Just about every individual who is immersed in the Information Technology field has either personally experienced it, or knows someone who has: The hard drive “click of death”. For most, this sound is the start of a downward spiral of doom and depression and eventually a large bill from a data recovery company. For some, however, this is the beginning of a new field of interest in technology. There is only one problem: The field of hard drive data recovery is one that is still shrouded in secrecy and misinformation. How can someone break into an industry where advice is doled out in hushed tones and newcomers are shunned and told to seek professional (read:$$$) help?

Scott Moulton has been trying to change that, and is one of the few individuals teaching a vendor-neutral data recovery class to the public. I attended one of Scott’s 5 day training classes in 2009, and have kept up with him as the course has grown. In an effort to assist other individuals in deciding if this course is worth taking, I opted to write this review. Please note that while my personal attendance of the course was in 2009, I routinely volunteer to assist in these courses (for free) when they come to my geographic area of Washington DC, so this information is current as of May of 2011. Also, while the term “hard drive” has now become the catch-all term, the course material covers recovery of both traditional mechanical hard drives and touches on the latest recovery technologies for flash based devices like USB thumb drives and Solid-State Drives (SSD).

This class is appropriate for any individuals who have a solid understanding of computer forensics and filesystems and want to take their knowledge to the next level in terms of understanding exactly how data is stored on the drive, how the device works, and how it can be recovered when conventional imaging techniques fail. This was my primary reason for attending the course. The class is also appropriate for any individual who wants to approach data recovery as a means to expand their computer-support business and wants to add DR (data recovery) as an additional service...

Standard Units in Digital Forensics

noreply@blogger.com (admin) — Tue, 24 May 2011 11:24:00 +0000

by Chris Hargreaves

About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

One of the earliest lectures in the MIT Openware programme in Physics begins with the lecture “Units and Dimensional Analysis”. Units of measurement are critical to science, so much so that there is a standard that defines science’s system of units, for example the precise definition of a kilogram -- the SI (Système International d’Unités or International System of Units). The notion of units of measurement in science is extremely important and it therefore seems sensible to consider how this applies to digital forensics.

As we will see, this does not necessarily suggest that there should be standard units of measurement in digital forensics, to report, for example, the position of the start of a file. As will be discussed later in the article, this is not always appropriate, since it is useful to describe such positions in different ways depending on the context. However, this article will discuss that reporting some unit of measurement is essential.

Perhaps it is best to begin with a simple example:

“the text string ‘this is evidence’ was located at position 34556”

Since this important evidential artefact has been located, it seems sensible to check that the artefact is actually there. So, we should examine position 34556... but 34556 what? Bytes, sectors, blocks? Let us assume just for a second that the position is expressed in bytes, but what about the number base? If the position in which the string was identified was 86FC, it would be reasonable to assume that this is a hexadecimal offset. However, in this example we have 34556. This could be decimal or hexadecimal. So in order to precisely identify the position of this string, not only does the unit of measurement need to be expressed, but so too does the number base in which it is expressed.

Furthermore, consider the organisation of a disk...

Read more at http://www.forensicfocus.com/chris-hargreaves

PitchLake - a tar pit for scanners

noreply@blogger.com (admin) — Tue, 24 May 2011 10:15:00 +0000

by Simon Biles

About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

We’ve had two bank holidays in a row here in the UK – first off for Easter, then for the Royal Wedding – time off work coupled with very pleasant weather and plenty of “refreshments” has caused my brain to atrophy! So, rather than pulling one of my usual type of topics from the hat for this article, I thought that I’d do a mini-project for the month.

[ I’ll apologise up front though – I can only just program in both Perl and C, and C isn’t exactly column friendly, so it’ll be Perl. I know that many readers here can program in Perl, and most of you probably better than me – I’d be interested to hear corrections, tips and tricks in the comments so as to improve, as no doubt there are better ways of doing this ! ]

One of my first tasks in the office this morning, after a cup of coffee of course, was to review my server logs [1]. As of yet I’ve not got enough staff to have a minion to do this for me, but to be honest I’d miss the connection to the real world of computing if I did [2]. I run a Linux server in a datacentre in Birmingham as my company’s main web-server and my high bandwidth, static IP’d pen-test machine. For the last few months I’ve been meaning to do something about the 404 errors (http://en.wikipedia.org/wiki/HTTP_404) that are being reported by Apache – some are my fault for taking pages away that people clearly still cross reference – the others though are clearly the work of automated web vulnerability scanning tools.

Vulnerability scanners (http://en.wikipedia.org/wiki/Vulnerability_scanner) are the bottom end of the pen-test toolkit – they are to penetration testing what the Windows “find” command is to digital forensics; e.g. superficial and basic. There are various types – but of interest today are those that operate on the application layer over HTTP (http://en.wikipedia.org/wiki/ISO_model#Layer_7:_Application_Layer). In the open source market both Nikto (http://www.cirt.net/nikto2) and Nessus (http://www.tenable.com/products/nessus) [ Nessus isn’t open source per se, but is free for home use … ] are examples of products that perform tests against webservers for potentially insecure CGIs and files – the trouble with this is that in order to determine if an insecure CGI script or file is present, the scanner asks Apache for it, and receives a 404 if it isn’t there, each 404 is written to the log, and when Nikto, for example, tests for over 6400 possible vulnerabilities you can imagine what the logs look like ! Sadly, tools like these, as they are available to everyone, are not only used by the kind of people that get written authorisation before testing your web server...

Read more at http://www.forensicfocus.com/simon-biles

The End of Digital Forensics?

noreply@blogger.com (admin) — Tue, 29 Mar 2011 08:23:00 +0000

by Craig Ball

About the Author

Craig Ball is a Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery.

When Microsoft introduced its Encrypting File System (EFS) in Windows 2000, the Cassandras of computer forensics peppered the listserves with predictions that the days of digital forensics were numbered. Ten years on and hundreds of systems acquired, I’ve yet to handle a case stymied by encryption—and 90% of my acquisitions were corporate machines, many with TPMs and fingerprint readers. Voluntary encryption turned out to be no encryption at all.

The next sky falling threats to forensics were privacy tools and features. “Surely,” our Chicken Littles clucked, “everyone will run free tools that routinely wipe unallocated clusters and securely delete data!” Turns out, they only run the antiforensic tools right before the examiner arrives, and most such tools do a lousy job covering their tracks. Instead, we’ve come to see much more revealing data and metadata created and retained by operating systems. The Windows Registry and all those logs and .dat files are like birthday presents from Bill Gates.

Finally, there are the stormy forecasts about the Cloud. Absent dominion over physical storage media, digital forensics is indeed different. We need credentials to acquire data in the Cloud, and deletion tends to mean really gone. But the silver lining is that the portable devices used to access Cloud data tend to store so much information that they’re proving a cornucopia of case-making information. Are handhelds trickier to acquire? Sure. Are they less revealing? Not on your life!

But lately, one acorn that has fallen on my head and caused me to look warily aloft is the quantum leap in hard drive capacity. I suspect I’ve acquired more aggregate data in the last year than in all of the previous nine years put together. Not more media, mind you, more data. At least more nulls, but we’ve got to read those too, right?

Fragmentation of the digital forensics community

noreply@blogger.com (admin) — Mon, 28 Mar 2011 04:42:00 +0000

From the forums:

I started in the digital forensics community about five years ago, and I already feel old, and I am a Johnny-come-lately. This post may come off as a “Hey, you kids, get offa my lawn!” rant. Rather than a rant, I really hope that people start talking about a way to find a small number of safe lawns for all the kids to play on.

In those five years I’ve noticed that the computer forensics community has become *less* supportive, not more supportive. This runs contrary to trends to other communities such as software engineering tools, web frameworks, and startups. I have some feelings and thoughts on why this is. I wish I had some good ideas on how to turn this trend around.

I think there are four major problems:

1) Fragmentation of the sites supporting the community.

When I showed up, there was Forensic Focus, the CCE list, and HTCIA. (And other people probably had their three or four sources that don’t overlap with mine.) Now, I’ve got Forensic Focus, CCE, HTCIA, HTCC, DFCB, wn4n6s, and a host of OS and tool specific sites. Then there is LinkedIn, with an almost one to one mapping of all the external groups, plus subgroups, plus additional new groups not represented elsewhere.It seems that everyone wants their own lawn to play on rather than contributing to the health of an existing lawn. How often have you seen a post along the lines of “Hey, I set up a new forensics wiki! Come check it out and help it grow!” Or found yet another computer forensics LinkedIn group?

This leads to two related problems: Where do you post, and where do you go looking for information? I belong to a lot of the mailing lists and use my personal mail archive as a research tool when I have questions, but that doesn’t reach into the various web based forums. And if I want to post a question, where does it go? Some people blast every mailing list they’re on, hoping for an answer. And the more we balkanize, the more likely those questions are to go unanswered.

I still use FF and the CCE list mostly, but then there are items #2 an #3...

Read more at http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=7442

Evaluating Mobile Telephone Connection Behaviour - Part 2

noreply@blogger.com (admin) — Thu, 24 Mar 2011 12:53:00 +0000

by Sam Raincock

Sam Raincock from SRC is an IT and telecommunications expert witness specialising in the evaluation of digital evidence. She also provides training and IT security consultancy.

Connection Records

Within the UK, details of past telephone connections are stored by the network providers. The minimum storage is advised by the Data Retention (EC Directive) Regulations [1][2]. However, each network provider is able to disclose different types of information about past connection activity and this availability also changes over time. As a result, it is important to be familiar with what connection record information may be available to your case so you can make appropriate requests to obtain access to it. Perhaps a useful strategy for companies undertaking connection record evaluation work would be to compile a procedure where your organisation will contact the network providers every 6 months to determine if anything has changed.

It is also important to note that the network providers will provide a ‘standard’ format of connection records if they are not directed regarding the information you require. My philosophy with network records is that if you don’t ask, you won’t get it!

Examining Connection Records

Most often the instructions received in connection charting matters are to compile charts of connection patterns of the telephones of interest in a case. This is generally over a certain time period and may also include a frequency analysis to determine how many connections have occurred with particularly numbers of interest. It may (especially in defence cases) also include questions about the meaning of connections and the possible circumstances of the calls/SMS messages.

Where connection records specialists are lucky, they are provided with the records in electronic format. Where they are ill-fated they obtain a file of 500+ pages in paper format and the electronic records are unavailable (very common in older cases).

With paper records, you have two options: transfer the records into electronic format (however, you are going to have to thoroughly validate that this has occurred correctly) or you will need to examine them by eye. Actually, dealing with paper connection records is a lot easier than it sounds as you become used to looking for patterns over time.

With electronic records, if you are using pivot tables to assist you in performing a frequency analysis of the connection behaviour to establish how many connections have been made with certain telephone number of interest, remember that a telephone number may be provided in the records in various formats. For example, 07777 111111 may also be provided as 447777 111111.

Also with electronic records – make sure you don’t suffer from sorting issues. Firstly, if you haven’t set your data to be the correct type (which can be an annoying activity in itself), sorting can produce unexpected results. And of course, there is also the old Excel sorting problem where you sort by column and don’t expand the selection to the other data values too, resulting in shuffling your original connection records table.

Although all these points may seem very basic, in my experience mistakes do occur in this type of processing. Another area for error is overlooking the obvious – the date being in the wrong format or the wrong number is searched for etc. Hence, the key when performing connection charting/analysis is to validate, validate, validate and assume nothing...