Wednesday, August 29, 2012

Windows 8 Forensics webinar - alternative URL

Sincere apologies to anyone having difficulty connecting to the Meetingburner service to view the Windows 8 Forensics presentation - please try the following URL on YouTube instead:

Josh is available in the webinars forum to answer any questions. Please go here if you would like to join in the discussion.

Additionally, a PDF with slides from the presentation can be downloaded here.

I will get these gremlins out of the system soon, I promise!


Tuesday, August 28, 2012

JADsoftware - The Company Behind IEF - Re-Launches As Magnet Forensics Inc.

JADsoftware, the company behind the industry-leading digital forensics product Internet Evidence Finder (IEF), announced on Monday that they have re-launched the company under a new name - Magnet Forensics Inc.

“A lot has changed since I launched JADsoftware and first developed IEF while working as a police officer and forensic examiner,” said Jad Saliba, Founder and Chief Technology officer of Magnet Forensics.

“After a couple years juggling both jobs, I realized that IEF had tremendous potential to help forensics professionals perform better investigations, so I decided to dedicate myself to developing the software full-time,” Saliba explained. “We now have a team of talented individuals who are working around the clock to take IEF to the next level. The time felt right to transition to a name that better reflects what we do, which is help our customers get to key Internet evidence as quickly and easily as possible, among a proliferation of online data.”

Read more

Monday, August 27, 2012

Computer Analysts and Experts – Making the Most of GPS Evidence

by Professor David Last

The many companies that sell software for computer forensics have developed products for analysing satellite navigators. Police high tech crime units and independent laboratories now use this software on an industrial scale. Computer technicians conduct the analyses. This is home territory for them, since the biggest component of a vehicle satellite navigator is a computer, often running the Linux operating system, and with access via a USB connection or an SD card. The analysis software extracts addresses which it plots using tools such as Google Maps. Specialists extract similar data from satnavs built into vehicles.

But many investigating officers find the results disappointing: “it’s just a list of addresses!” Unlike CCTV, ANPR and witness evidence, there are rarely times or dates to fit into a chronology. And anyway, the addresses are simply destinations for planning routes. The defence will point out that no-one can say who entered them, or at what time on what date, or whether a route was planned to them, or whether the satnav ever went there, let alone in a specific vehicle driven by a their client!

Another problem is that the investigating officer may simply not be able to understand the data provided. What are all these addresses? Were they recorded by the device itself or input by a user? Was that inputting an intentional action? The sense of frustration is enhanced by the quality of reports generated by much commercial software. The best packages provide at least some explanation of the data they contain, the worst none at all. The technicians who conduct the analyses often have neither the time nor the training to help. This leaves the officer with the prospect of presenting and defending poorly understood data in court. Some just give up!

But the addresses may at least have intelligence value...

Read more

Friday, August 24, 2012

Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images

When the authors first published this paper, their intentions were to develop a comprehensive guide to digital forensic timelines in order to consolidate the many fragmented sources of information concerning this topic.  What they discovered, however, was that quality references were often challenging to find among various books, papers, periodicals, filesystem specifications and source code.

While conducting their research, they found that practical tool-based solutions existed for generating digital forensic timelines, though they each had specific limitations.  Thus, efforts were undertaken by the authors to provide an alternative timeline generation framework.  Although some in the community had already proposed the use and generation of supertimelines, all too often important data sources were being left out.  In order to rectify this, it became necessary to couple additional tools in order to provide maximum evidentiary extraction...

Read more

Wednesday, August 22, 2012

Webinar: Windows 8 Forensics - A First Look

Take a first look at Windows 8 forensics in a webinar presented by Josh Brunty, Assistant Professor of Digital Forensics at Marshall University. Learn about the changes in Windows 8 which forensic examiners should be aware of before this new OS is released to the public in October. After the webinar Josh will be available in the Forensic Focus forums to answer any questions.

Date: Wednesday, August 29 2012
Time: 11AM EDT US / 4PM BST UK / 15:00 GMT
Duration: 35 mins

Register today at

Please share this invitation with any friends or colleagues who might also be interested, thank you.

Friday, August 17, 2012

Apple phones are AES-tough, says forensics expert

Monday's Technology Review carries a glowing tribute to Apple iPhone security according to its author, Simson Garfinkel, a contributing editor who works in computer forensics and is highly regarded as a leader in digital forensics. He says Apple has passed a threshold “Today the Apple iPhone 4S and iPad 3 are trustworthy mobile computing systems that can be used for mobile payments, e-commerce, and the delivery of high-quality paid programming,” thanks to Apple’s heavy investment in iPhone security. That is where “threshold” comes in. Apple has crossed it. Even law enforcement cannot perform forensic examinations of Apple devices seized from criminals, he said...

Read more (

Thursday, August 16, 2012

Researchers Show How to Crack Android Encryption

As forensic examiners, some of the last things we want to hear are "encryption" and "enabled" in the same sentence, however that's what has been happening with the current line of Android devices. Starting with Android 3.0, devices have been shipping with the ability for the user to enable full device encryption. Fortunately for the forensic community, there are individuals steadfast to find a way to break that encryption - and have already proven how to do so. Two such researchers - Thomas Cannon and Seyton Bradford - have demonstrated successful brute force attacks against Android encryption. Thomas detailed their findings at DEF CON 2012 in his presentation "Into the Droid - Gaining Access to User Data"...

He discusses that the encryption uses standard Linux dm-crypt, incorporated in Android devices running version 3.0 and newer, and uses the same password to encrypt and decrypt data as is used to unlock or log in to the device. So while the encryption is generally considered strong, users default to using short or easy-to-type passwords and pins to protect their device and enable the encryption...

Read more

Friday, August 10, 2012

Forensic Examination of FrostWire version 5

As digital forensic practitioners, we are faced regularly with users utilizing the internet to swop and download copyrighted and contraband material. Peer to peer (P2P) applications are commonly used for this purpose, and like any software application, they are ever changing and ever evolving. This paper will discuss how the P2P software application, FrostWire v.5, functions and what artifacts can be found and examined for forensic purposes. The software application mentioned is one of the more popular P2P applications...

Read more

Wednesday, August 01, 2012

Book Review: Mastering Windows Network Forensics & Investigations

by Chad Tilbury

Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources.  The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics.  I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly.  That said, the topics covered do not fit within the classical definition of network forensics.  A more apt title might be Mastering Incident Response Forensics and Investigations.

This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing.  The authors blended dense material with relevant examples and insightful and engaging text boxes.  Some of my favorite “side” topics were:
  • “Cross-platform Forensic Artifacts”
  • “Registry Research”, illustrating the use of Procmon for application footprinting
  • “Time is of the Essence”, explaining fast forensics using event logs and the registry
The book begins with four chapters familiarizing the reader with Windows networking.  While this may slow down those hungry for forensics topics, they are replete with information.  Windows domains, hacking methodology, and Windows credentials are all described in these early chapters.  Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise.  While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks.  It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts...

Read more