Tuesday, March 29, 2011

The End of Digital Forensics?

by Craig Ball

Craig Ball
About the Author

Craig Ball is a Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery.

When Microsoft introduced its Encrypting File System (EFS) in Windows 2000, the Cassandras of computer forensics peppered the listserves with predictions that the days of digital forensics were numbered. Ten years on and hundreds of systems acquired, I’ve yet to handle a case stymied by encryption—and 90% of my acquisitions were corporate machines, many with TPMs and fingerprint readers. Voluntary encryption turned out to be no encryption at all.

The next sky falling threats to forensics were privacy tools and features. “Surely,” our Chicken Littles clucked, “everyone will run free tools that routinely wipe unallocated clusters and securely delete data!” Turns out, they only run the antiforensic tools right before the examiner arrives, and most such tools do a lousy job covering their tracks. Instead, we’ve come to see much more revealing data and metadata created and retained by operating systems. The Windows Registry and all those logs and .dat files are like birthday presents from Bill Gates.

Finally, there are the stormy forecasts about the Cloud. Absent dominion over physical storage media, digital forensics is indeed different. We need credentials to acquire data in the Cloud, and deletion tends to mean really gone. But the silver lining is that the portable devices used to access Cloud data tend to store so much information that they’re proving a cornucopia of case-making information. Are handhelds trickier to acquire? Sure. Are they less revealing? Not on your life!

But lately, one acorn that has fallen on my head and caused me to look warily aloft is the quantum leap in hard drive capacity. I suspect I’ve acquired more aggregate data in the last year than in all of the previous nine years put together. Not more media, mind you, more data. At least more nulls, but we’ve got to read those too, right?

Read more at http://www.forensicfocus.com/craig-ball

Sunday, March 27, 2011

Fragmentation of the digital forensics community

From the forums:

I started in the digital forensics community about five years ago, and I already feel old, and I am a Johnny-come-lately. This post may come off as a “Hey, you kids, get offa my lawn!” rant. Rather than a rant, I really hope that people start talking about a way to find a small number of safe lawns for all the kids to play on.

In those five years I’ve noticed that the computer forensics community has become *less* supportive, not more supportive. This runs contrary to trends to other communities such as software engineering tools, web frameworks, and startups. I have some feelings and thoughts on why this is. I wish I had some good ideas on how to turn this trend around.

I think there are four major problems:

1) Fragmentation of the sites supporting the community.

When I showed up, there was Forensic Focus, the CCE list, and HTCIA. (And other people probably had their three or four sources that don’t overlap with mine.) Now, I’ve got Forensic Focus, CCE, HTCIA, HTCC, DFCB, wn4n6s, and a host of OS and tool specific sites. Then there is LinkedIn, with an almost one to one mapping of all the external groups, plus subgroups, plus additional new groups not represented elsewhere.It seems that everyone wants their own lawn to play on rather than contributing to the health of an existing lawn. How often have you seen a post along the lines of “Hey, I set up a new forensics wiki! Come check it out and help it grow!” Or found yet another computer forensics LinkedIn group?

This leads to two related problems: Where do you post, and where do you go looking for information? I belong to a lot of the mailing lists and use my personal mail archive as a research tool when I have questions, but that doesn’t reach into the various web based forums. And if I want to post a question, where does it go? Some people blast every mailing list they’re on, hoping for an answer. And the more we balkanize, the more likely those questions are to go unanswered.

I still use FF and the CCE list mostly, but then there are items #2 an #3...

Read more at http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=7442

Thursday, March 24, 2011

Evaluating Mobile Telephone Connection Behaviour - Part 2

by Sam Raincock

Sam Raincock from SRC is an IT and telecommunications expert witness specialising in the evaluation of digital evidence. She also provides training and IT security consultancy.
Connection Records

Within the UK, details of past telephone connections are stored by the network providers. The minimum storage is advised by the Data Retention (EC Directive) Regulations [1][2]. However, each network provider is able to disclose different types of information about past connection activity and this availability also changes over time. As a result, it is important to be familiar with what connection record information may be available to your case so you can make appropriate requests to obtain access to it. Perhaps a useful strategy for companies undertaking connection record evaluation work would be to compile a procedure where your organisation will contact the network providers every 6 months to determine if anything has changed.

It is also important to note that the network providers will provide a ‘standard’ format of connection records if they are not directed regarding the information you require. My philosophy with network records is that if you don’t ask, you won’t get it!

Examining Connection Records

Most often the instructions received in connection charting matters are to compile charts of connection patterns of the telephones of interest in a case. This is generally over a certain time period and may also include a frequency analysis to determine how many connections have occurred with particularly numbers of interest. It may (especially in defence cases) also include questions about the meaning of connections and the possible circumstances of the calls/SMS messages.

Where connection records specialists are lucky, they are provided with the records in electronic format. Where they are ill-fated they obtain a file of 500+ pages in paper format and the electronic records are unavailable (very common in older cases).

With paper records, you have two options: transfer the records into electronic format (however, you are going to have to thoroughly validate that this has occurred correctly) or you will need to examine them by eye. Actually, dealing with paper connection records is a lot easier than it sounds as you become used to looking for patterns over time.

With electronic records, if you are using pivot tables to assist you in performing a frequency analysis of the connection behaviour to establish how many connections have been made with certain telephone number of interest, remember that a telephone number may be provided in the records in various formats. For example, 07777 111111 may also be provided as 447777 111111.

Also with electronic records – make sure you don’t suffer from sorting issues. Firstly, if you haven’t set your data to be the correct type (which can be an annoying activity in itself), sorting can produce unexpected results. And of course, there is also the old Excel sorting problem where you sort by column and don’t expand the selection to the other data values too, resulting in shuffling your original connection records table.

Although all these points may seem very basic, in my experience mistakes do occur in this type of processing. Another area for error is overlooking the obvious – the date being in the wrong format or the wrong number is searched for etc. Hence, the key when performing connection charting/analysis is to validate, validate, validate and assume nothing...

Read more at http://www.forensicfocus.com/sam-raincock

Tuesday, March 22, 2011

Biles’ Hierarchy of Disaster Recovery Needs

by Simon Biles

Having failed to keep up with my New Year’s resolution of being more organised (the observant of you might have noticed the absence of a February column), it’s nice to be able to move into a new season – spring is with us and in the UK at least, that seems to mean a return to below freezing nights and having to defrost my car each morning. Roll on global warming I say! It never ceases to amaze me how quickly the UK grinds to a halt when we have a little inclement weather, you’d think that we’d be used to it by now – but over December I had the absolute pleasure of being stuck in Edinburgh because there was the wrong amount of snow on the runway or something like that. Luckily, we had contingency plans in place and, after 48 hours we were back at home in Oxfordshire. We were certainly fortunate - we passed hundreds of people in the airport who weren’t going anywhere and had no other option but to wait it out. In vast contrast, in the Middle East over the last few months, not only has the weather been hot, but so has the political climate, and I have been amazed by the speed with which the ruling governments have acted to cut off the internet.

The tenuous link? Business Continuity Planning and Disaster Recovery Planning. It doesn’t take long if you watch the IT News before you come across a good example of bad BCP/DRP – my favourite this month was Vodafone but this is just a retelling of an old story. The fact that a major organisation (a) had a single point of failure in the first place and (b) couldn’t fail it over to another, backup site immediately is more than a little embarrassing. Vodafone are in quite a privileged position though, whilst their outage is clearly damaging to their image, in real terms, their clients are tied into long term contracts, it was one day out of service out of a year, and their clients' capability to demonstrate their own BC/DR plans (e.g. use a landline) mean that they are unlikely to lose much business from the mistake. For a smaller outfit however, the loss of even one component (like your laptop or examination machine) could cripple you for days and potentially lose you significant business. I, personally, suffered a hard disk failure on my MacBook Pro (under Apple Care, but not a quick fix – two weeks) and although I had full backups of everything to within 24 hours, I had to go and source a temporary machine to restore them to in order to carry on working. In fact, in light of the fact that I _didn’t_ have a BCP/DRP, I bought a second, smaller & cheaper, laptop that I could bring into play should the main one fail again.

Before I go on, I should clarify that there is a difference between BCP and DRP – one (BCP) tends to be used for aspects of failure, such as a hard-disk failing, the other (DRP) is in the case of catastrophic events, such as your building burning down. In my experience most people don’t have adequate of either, however there is a lot of common material between the two, and I’m going to continue this article from more of a DRP perspective...

Read more at http://www.forensicfocus.com/simon-biles