Saturday, November 29, 2008

Cell site analysis (CSA) and fringe coverage

I'm delighted to see that Greg Smith has been able to update his blog frequently over the past few weeks. Greg is a genuine expert in the field of mobile forensics but it's his enthusiasm and willingness to share his knowledge which makes him stand out just as much as his expertise (check out his recent posts on cell site analysis and fringe coverage to see what I mean). If you're not already subscribed to Greg's blog, do so now!

Wednesday, November 19, 2008

Ultra-thin membrane changes SIM card usage

Fascinating new post from Greg Smith of Trew & Co. on his blog:

Examiners may come across an ultra-thin (0.3mm) membrane that lays over the contacts of a SIM card. Called the V200 SIM Dialer, the membrane is "Prefix base programmable (For routing prefix and bypass prefix setting)". What does that mean? Well, it allows mobile phones installed with SIM Tool Kit menu (most up to date phones have them) and define access to the network. The point being, if you are looking for least-cost routing for calls or want to use a calling card, rather than have mobile network call charges, then this device makes that happen, apparently.

How does it do it? "Dial the desired number directly each time you call, SIM dialer V200 will automatically dial IP access in front of the dialed number". As the manufacturer promotes, using their device will not change your dialling habits and there is "No cutting, No pounching your SIM".

More details and a link to a YouTube vid here.

Thursday, November 13, 2008

Lance Mueller - cell phone forensic tools

For anyone who missed it earlier this month, Lance Mueller posted some interesting thoughts on his blog about the current state of cell phone forensics:

As part of my work, I recently put together a fairly comprehensive cell phone forensic course. As part of the development phase of this project, I had a chance to use most of all the common cell phone forensic tools and put them through the paces with over 50 different phones, most of which were international models.

In opinion, the forensic industry is nowhere near where we are today with cell phone forensics compared to computer forensics. Mostly because it is a fairly new sub-field of digital forensics and the tools just have not been around long and have not yet evolved to the state where the current computer forensic tools are at.

Read the rest, including tool evaluations, here.

Thursday, September 04, 2008

When is a Computer Forensic Investigation Needed? (2 of 2)

by guest blogger Jon Rowe from Pinpoint Labs

In my previous post, I identified several primary differences between computer forensic investigations and electronic discovery processing. Next, I’d like to identify some general case categories and tasks that involve a computer forensic investigator.

Case Categories:

· Employment disputes

· Misuse of company computer

· Embezzlement

· Breach of contract

· Software licensing

· Intellectual property theft

· Insurance fraud

· Sexual harassment

Typical Tasks:

· Recovering deleted files and emails

· Internet activity analysis

· Cell phone and smart phone analysis

· Metadata analysis

· Providing results, recommendations, and action plan

Even if a civil or criminal investigation doesn’t fall within these case categories, you may still need to involve a computer forensic investigator. Why? Because it is no secret that computers are used as a primary source for communication, work product, and research. The listed tasks could apply to investigating almost any suspect involved in a civil or criminal law suit.

Read the Pinpoint Labs blog at

Saturday, August 30, 2008

When is a Computer Forensic Investigation Needed? (1 of 2)

by guest blogger Jon Rowe from Pinpoint Labs

Electronic discovery and computer forensic investigations often go hand in hand. The challenge for many in the legal community is how to identify what ESI (Electronically Stored Information) requires more than typical electronic discovery processing.

First, computer investigations are technically electronic discovery, and the line between the two disciplines will continue to blur. Several key differences are:

  1. The qualifications and skills required by the individual performing collections and computer investigations
  2. Computer investigations typically recover and analyze areas of the suspect media unavailable through popular electronic discovery software
  3. Electronic discovery processing often involves a significantly larger amount of data
  4. Most computer forensic applications do not create load files or produce tiffs or electronic bates numbers
  5. Computer forensic investigations often require extensive detailed reports of the processes and findings, as well as appropriate affidavits, before the work can begin and then must describe the findings

In my next post, I will discuss the types of cases and suspect information that differentiate computer forensic investigations and typical electronic discovery processing.

Read the Pinpoint Labs blog at

Tuesday, August 12, 2008

Graduates: How To Secure an Interview for a Computer Forensics Role

In the first of a series of articles David Sullivan, a specialist computer forensics recruiter at, provides some guidance for graduates who are looking to secure their first role in Computer Forensics.

I spend a lot of my time during the autumn speaking to University students studying computer forensics. During these talks, I try to give a broad outline of future career prospects, and, let’s make no mistake about it, for the graduates who secure an outstanding first position in CF, the future is incredibly exciting if they work hard and achieve outstanding results.

In this short article, I am going to cover what you need to do if you are a recent graduate yet to secure an interview for a graduate position. I will cover interview technique and preparation in another article, but if you have recently graduated your number one priority has to be getting an interview for a CF position.

This subject gets covered time and again on Forensic Focus and I get numerous calls asking for advice. Unfortunately, there are no easy answers and in my view, achieving success all comes down to the following points.

1. Professionalism

You really must treat this whole process like a professional project. Keep a record of everything you do, everyone you speak with/write to and the results of the communication. This means you always stay in control and can accurately track progress.

2. Your CV

I can’t emphasise enough how important it is to make your CV a document that sells you well. Decision makers tend to make decisions on your CV in the first few seconds so it really doesn’t matter how talented or enthusiastic you are, if your CV isn’t clear and professional, you will not get selected for interview. When you send your CV to a company you only have one shot at it so make the effort to make your CV stand out from the others they receive.

There are numerous free resources on the internet (including this article I wrote for Forensic Focus last year: ) so there really is no excuse for not getting this right.

Incidentally, the main criticism I have of graduate CV's is that the course details are often tucked away in one line half way down the CV whereas the bar job in the Student Union is described in great detail. At this stage of your career, your degree is the key selling point so make it stand out! However, not to the point of my second major problem with graduate CV’s, where there is a list of every option taken along with grades. Stick to the basic course details and include a strong paragraph on your final year project, concentrating on achievement rather than description.

If you would like me to look over your CV, feel free to email me.

3. Making contact

As a recruiter who places a large number of new graduates into CF roles every year, I am of course going to suggest you contact recruiters advertising roles in this area. This can be an easy way to secure an interview.

Often, you can’t just rely on recruiters and need to contact some organisations directly as part of a mixed strategy giving you the widest range of options. However, you cannot do this unless you take control when dealing with recruiters and are absolutely clear which companies they are currently working with and which companies they are going to contact on your behalf. Once you know this information you then have the freedom to contact any other organisations directly. For a fuller discussion of this point, have a look at the following thread:

4. Who to contact

Whether you are going via a recruiter or directly to a company, please don’t just send your CV to info@ or HR@ a certain organisation. Any covering letter I see addressed to ‘Dear Sir/Madam’ is automatically deleted. Take the time to find out who is likely to make the hiring decision and contact them directly.

Go beyond the obvious: if you haven’t researched it already, you will be surprised at the number of Public and Private sector organisations with a CF capability. Generally speaking, those organisations which have a lower profile and are harder to research will have fewer applications which means you are more likely to be successful. As always, it really does pay to do your research thoroughly.

5. Covering Letter

Keep this very short, punchy and emphasising achievement. My advice would be to include a short opening and closing paragraph along with maybe four/five bullet points as opposed to a page of text.

It sounds a small point, but always include your phone number in a prominent area as this makes it easy for the decision maker to call you. Again, as in all this advice, the whole point is to make it easy for the decision maker to invite you to interview.

6. Persistence

Many (hopefully all!) the people you contact will be busy with operational issues and sometimes just aren’t in a position to focus on your CV. Make it easier for them by chasing them: ensure sure they have received your CV and emphasise how keen you are to join their organisation. If they aren’t recruiting at this time, ask them when they are likely to be recruiting. Ask them if anyone they know is recruiting. See if you can arrange some unpaid work experience, even if it just to make the tea as once they have seen you in person, you become more than just another graduate.

Ok, so we don’t want to take it too far and become a borderline stalker, but recruiting plans can change very quickly so if you can establish some sort of relationship with a decision maker you are at least putting yourself firmly in the frame.

7. Summary

As I hope I have been able to demonstrate in this article, for a lot of graduates who have secured their first role it was about preparing properly and then approaching the process in a thorough and professional manner before, most importantly, getting lucky due to being in the right place at the right time. However, to paraphrase the much-used Arnold Palmer line, the harder you work at it, the luckier you are likely to be in your search for this first role.

If you would like to discuss any aspect of this article, please comment on the Forensic Focus forums or contact me at

Monday, June 30, 2008

Guidance Software Launches Online Training Program

Yep, the headline says it all but here's a bit more blurb from the press release:

"The program’s inaugural offerings—EnCase Computer Forensics I, EnCase Enterprise Implementation and EnCase v6 Features—are now available on demand. EnCase Computer Forensics I, one of Guidance Software’s most popular training courses, includes 32 hours of course work in 28 separate blocks of training. This introductory course is a hands-on experience that involves practical exercises and real-life simulations. The class provides participants with an understanding of the proper handling of digital evidence from the initial seizure and acquisition of the computer/media, to data analysis, archival and validation. The EnCase Enterprise Implementation module explains initial installation and configuration of the EnCase Enterprise platform. The EnCase v6 Features module is an individual, two-hour block of training that provides users with the latest updates included in the recently launched version of EnCase Enterprise, including explanations on new features."

I'm a big fan of online training in principle but I look forward to seeing what people make of this program in practice. Also, a cursory glance at the Guidance website revealed no pricing details - does anyone have that information?

Tuesday, May 20, 2008

What happened to FTK 2?

A selection of comments from a recent forum thread:

"The product is good, but wow is it unpolished and slower than...well it's slow."

"What I find frightening is that regardless of which system its used on, the performance still sucks. I have a quad core w/ 8gb ram, striped raptors and oracle on a raid 5 and it doesn't make a difference."

"...the problems seen in the latest 2.0 release of the venerable AccessData Corp. product, Forensic Tool Kit (FTK 2.0), just seem deeper and wider than I've run into elsewhere...

"I helped the dept decide to buy 10 licensed copies of FTK 2.0 about 3 months ago. To my regret, it has not turned out well for us so far."

"What really hurt me was the [lack of] ability to save all your case data to independent HDD's for better control and storage. There were also cases where the client wanted all the work to be done on site. They did not want their data leaving the premisses. With FTK 2.0 that made it pretty much impossible."

Things don't get much better elsewhere:

"What little credibility Access Data had in the past, is now gone. At least under their old management, they could focus on doing one thing, right. Now, management is so distracted by trying to play the enterprise and eDiscovery market that they have forgotten their core competency. All we get now are empty promises, buggy code, horrible customer service and promises of vaporware. I just can't risk my own career credibility by continuing to invest in such a product. I am going to stick with Guidance, which is the gold standard in this space."

To be fair, it hasn't all been bad news:

"'s not all grim for FTK fans. AccessData still has about the best Registry Viewer application on the market, and the FTK Imager is, hands down, the best acquisition application for an unbeatable price. The Password Recovery Toolkit is an able application, and AccessData's telephone product support is first rate." [Craig Ball]

and it should be noted that SC Magazine awarded FTK 2.0 a "Best Buy" rating.

Overall though, you'd be hard pressed, even after Access Data CEO Tim Leehealey's attempt to repair some of the damage here, to see this release as anything other than a disaster for FTK's reputation. That's sad news for Access Data, for us as practitioners - especially those who had such high hopes for this new product - and for anyone concerned about the lack of competition in this marketplace.

Monday, May 12, 2008

Matthew Shannon, F-Response - Interview questions please!

The release of F-Response has prompted some considerable interest within the forensics community within the last few weeks and with that in mind I'm delighted to introduce Matthew Shannon as an upcoming interviewee.

Matthew Shannon is a Principal at Agile Risk Management LLC as well as a Founder and the Chief Software Architect of F-Response, a vendor neutral solution to remote forensics and eDiscovery.

Matthew has nine years of professional experience in private industry, including KPMG LLP, ExxonMobil, and United Technologies. Matthew is also a well received speaker and author. He has instructed the United States Secret Service on specific digital forensics techniques and was a well received speaker at the DEFCON 11 annual Information Security conference in Las Vegas, Nevada. Additionally, Matthew has been published in the International Journal of Digital Evidence for his work on incorporating statistical inference into digital forensics investigations.

Matthew graduated cum laude from The University of Florida in Decision and Information Sciences (BSBA) in 1999. In addition, Matthew holds numerous professional information technology certifications, and is the developer of Nigilant32, Agile Risk Management's premier Windows first responder tool.

Please add your interview questions for Matthew to this forum post, thank you!

Tuesday, May 06, 2008

UK Criminal Justice Bill - Clause 62 (or is it 63, or 64?)

Although it hasn't yet caused much of a public stir, Clause 62 in the UK Criminal Justice Bill certainly hasn't gone unnoticed in the forensics community (judging by the number of news submissions received at Forensic Focus). There's also plenty of debate at various general IT sites such as The Register.

So, what is the clause? Well, the entire Criminal Justice and Immigration Bill is covered in some detail here but the relevant clause can be found here (and I apologise for the confusion over the numbering of the clause, I've seen it specified as variously 62, 63 and 64).

In a nutshell, the clause seeks to shift criminal responsibility from the producer (as specified in the existing Obscene Publications Act, although this will remain in force) to the person who possesses the image(s) in question.

The background to the Bill is a tragic one, involving the murder of Jane Longhurst five years ago at the hands of a man addicted to violent pornography. Liz Longhurst, Jane's mother, then began to campaign against such images and was supported by the Home Secretary at the time.

The proposed new laws are, however, controversial with campaigners fighting against their introduction primarily citing concerns over the (lack of) evidence linking pornography with violence, the vagueness of the offence and the risk that a large number of people will be criminalised unfairly.

Regardless of what we might think of the clause on a personal level, it's clear that its introduction will have consequences for some forensic examiners in the UK. Only time will tell what impact, if any, it has on violent sex crime.

Thursday, May 01, 2008

Interview with David Sullivan, Appointments-UK

Forensic Focus: Can you tell us something about your background? How did Appointments-UK come into being?

David Sullivan: I’ve enjoyed over twelve years in recruitment, starting out in the city [London] specialising in IT within Investment Banking.

The area that really interested me was Information Security, and after a successful period in this sector, I further refined my focus into computer forensics. Then, in 2003, I decided to take the plunge and set up Appointments-UK.

My reasons were simple and remain the underlying vision for my company today: when contacting a recruiter you want them to demonstrate good market knowledge and a genuine understanding of the companies, personalities, trends, conditions and pressures that impact your sector. At Appointments-UK all our people offer this.

It has been a tremendous challenge and I’m pleased that organic growth has enabled me to develop a team of specialist recruiters in related areas: however, my personal operational focus remains in the computer forensics/electronic discovery market.

Forensic Focus: You operate in a dynamic, changing market place; what are the main challenges you face and what are your strategies to tackle these?

David Sullivan: The single biggest challenge I face is identifying suitably talented and skilled candidates. Advertising on specialist sites such as Forensic Focus produces results, but the niche nature of this sector means using generalist job sites (Monster, Jobsite etc) offers limited success. Recommendation remains the cornerstone in identifying suitable talent; in fact, well over three-quarters of our placements are due to networking.

After five years in this sector I have a fantastic network of key people – many of whom I now know both socially as well as professionally – and this makes my job much simpler! I can rely on this group to keep me updated with what is really going on and who may be open to making a move.

Another challenge we face is managing expectations. There is much hype around computer forensics as a growth area suffering from a shortage of candidates. This often leads to unrealistic expectations – especially around salaries -which needs to be tackled.

This is particularly common with people moving to the Private Sector from Law Enforcement/Public Sector organisations. With earnings between £35 and 40k they often ‘need’ to realise a package of around £65k to compensate the loss of other benefits. In the majority of cases this is unlikely, and, in reality, when they first move the pay increase is likely to be minimal. However, based on performance the strong performers will soon see substantial increases in both salary and bonuses. As a benchmark, when somebody changes jobs it is very rare to see a basic salary increase by more than 20%.

We don’t make promises where we cannot deliver and I often tell prospective candidates that they are, in my opinion, unrealistic in their salary expectations. Although I don’t pretend to always get it right, more often than not we see these people again when, after searching the market, it is our honest and informed service that they really need – once more, back to the very essence of what we provide; an honest assessment of the opportunities available based on a real understanding of the market.

Forensic Focus: What do you think of the rising number of educational courses in computer forensics? Is there a genuine demand from employers for an increased number of students?

David Sullivan: I enjoy playing my part in raising awareness of the opportunities available by speaking annually at a number of Universities that run Computer Forensic courses. It is vital that we reach and develop relationships with tomorrows talent today.

The standard of courses is certainly mixed but there are some outstanding, inspiring people running excellent courses and being incredibly innovative (particularly, in my experience, Vasilios Katos and Cheryl Hennell at Portsmouth University and Angus Marshall at Teeside University).

However, it remains clear that there will not be positions in Forensics for all the graduates, which is why it is so vital for them to be thinking seriously about their careers from Year One, and what they can do to give them an edge. I try to emphasise to the students that it is not necessarily the brightest who get the plum jobs, but those who prepare and position themselves correctly.

Graduate vacancies do exist and as a company we placed 14 computer forensic graduates in a variety of companies last year. It is also worth noting that salaries vary tremendously: in my experience in 2007 new graduate salaries varied from £16k - £34k, but in terms of long-term careers, I don’t think it is necessarily always correct to go for the highest salaried position as some of those organisations paying less offer outstanding training and exposure which can be very beneficial in the longer term.

Forensic Focus: How can people break into computer forensics and is it a ‘career’?

David Sullivan: Here on Forensic Focus lots of people who are currently working in IT related roles ask how to get into Computer Forensics and I get numerous calls asking the same question. I think it is a difficult area as it is not like becoming a Doctor where the career path is structured and you know what you need to do. My advice is usually that they need to personally contact every Computer Forensics Manager in the UK, be persistent, happen to be in the right place at the right time and get lucky. Oh yes, and be willing to take a pay cut.

Once you are in Computer Forensics there are some outstanding opportunities and if you are good, you can reach Senior Manager level very quickly. In my experience, the one thing that distinguishes those people who reach the very top is purely their ability to build relationships and develop new business. Technical expertise is important, but in the end, to reach the highest levels, it comes down to the ability to enable an organisation to sell the service.

However, I should add that I do appreciate that lots of outstanding Public Sector/Law Enforcement Computer Forensic Practitioners have no interest in following this path working for Private Sector organisations.

Forensic Focus: What changes have you seen in the computer forensics recruitment market over the past 5 years? What trends do you see in the future?

David Sullivan: Five years ago, nearly all recruitment was word of mouth between people working in the area and potential candidates I called had often never spoken to a recruiter before. Today, there are a number of specialist recruiters of varying quality operating in this market. There are some very good ones (such as Mark Woodward, who also advertises on this forum) but – and this is a general problem in recruitment - there are others who don’t provide such a high quality service, make false promises etc and this can make it harder for us to gain the trust of potential candidates.

As the sector continues to expand and mature, I think we will continue to see an increase in the more general positions being filled by advertising on specialist forums like Forensic Focus and Digital Detective. Companies will do much of this recruitment directly rather than via recruiters (the adverts on Forensic Focus show this happening).

However, for bulk recruiting, very specialist or senior roles, we will continue to see increased demand for pure headhunting and/or working exclusively with one Recruitment Company, which really has an understanding of the recruiting organisation. We have this relationship with some companies in the sector already and, it is not surprising, that we find the very best people for these organisations. As recruiters, if we can really get to know a company culture and work as a genuine Partner, it is so much easier to find the very best and most suitable people in the market, as opposed to currently on the market.

The only Public Sector/Law Enforcement organisation we currently recruit for in this area is the Metropolitan Police. I would anticipate that more Public Sector organisations will realise the cost-savings they can make by using external recruiters.

Forensic Focus: What do you do to relax when you're not working?

David Sullivan: I sail competitively, surf whenever I can and have developed a (healthy!) love of live poker.

David Sullivan specialises in Computer Forensics recruitment at Appointments-UK and can be contacted at David @ or on 01787 461082

Thursday, April 24, 2008

Reporting (again) and interviews

Some very interesting opinions have been raised in the "Reporting - time for standardization?" thread and I'd like to give people some more time to add their own thoughts before moving the discussion on. It's a somewhat more emotive topic than I might have expected but that's no bad thing, I suppose!

On another matter entirely, I've got a couple of good interviews lined up for publication shortly but again I'd like to encourage more suggestions for interviewees. Input from experienced professionals is always welcome but I also think it's useful to talk to those new to the profession -
and yes, you can suggest yourself.

Well, it's lunchtime and a beautiful day outside so time to drag myself away from the computer. Bye for now!

Tuesday, April 22, 2008

Reporting - time for standardization?

[This is a repost of my forum post here. Comments welcome but perhaps most usefully posted as replies in the forum. Also, a tip of the hat to forum members BitHead and kovar for providing the impetus.]

I'd like to pick up on one or two comments from an earlier thread and bring the subject of report standardization into the spotlight.

This is a subject area which has cropped up before (in these forums and elsewhere) and also one which has given me pause for thought in practice - in common with most of us here, I imagine. I think the time is right to give some serious consideration as to whether the standard of reporting delivered by computer forensics practitioners is all that it could be and, more specifically, is the introduction of a suitably structured and widely accepted model a worthwhile goal to aim for.

A number of benefits have already been suggested for such a model, some of these being increased efficiency, increased accuracy, improvements in communicating with other parties and an increase in professional credibility. In addition, two paths have been suggested for achieving this goal - one, get the major computer forensic groups and organisations to agree on such a model and push it out to their members, the other, develop a model at a grass roots level and grow support and acceptance for it amongst members of the various computer forensics forums.

I'd like to request further comments from all of us here. Do you think there's anything wrong in principle with a standardized reporting model? If not, could such a model be developed which serves to provide the benefits mentioned above without undue restriction being placed on the report writer? What would be the best way of creating such a model? Would the time and effort spent developing a suitable model be worthwhile?

All thoughts welcome!

Friday, April 18, 2008

Posts from the blogoshpere

Not much time today, just enough to link to a few interesting blog posts elsewhere (some old, some new):

Reflections of a computer forensics blogger

FTK 2.0 performance

Ghost as a forensic tool

Admissibility vs weight of digital evidence

OK, gotta run. Have a great weekend everyone!

Monday, April 14, 2008

Site stats

One of the things I forget to do for long periods (the last time I did it was over a year ago!) is to update the stats page to show how many people are visiting Forensic Focus. The figures for last month break down like this:

Unique visitors 20995
Number of visits 74665
Pages 218510

The full list of stats for each month since January 2004 can be viewed here. Although I do a little bit in the way of advertising and many pages have been picked up by Google, I'm convinced that a lot of the site's continued growth is due to word of mouth. Many of those who sign up for new accounts tell me that Forensic Focus was mentioned by someone they work with or by a teacher on a training course.

So, a big thank you is due to all those who have helped the site grow and I hope it continues to be a source worthy of recommendation. Like the old saying goes, if you're happy with it - tell someone else. If you're not - tell me!

Tuesday, April 08, 2008

Why the hell is everything so expensive?

I don't usually rant, possibly because I'm not sure I'd be able to stop, but one thing I've noticed is just how incredibly expensive everything is in the world of computer forensics. Not just the usual wallet-draining culprits like high end hardware but other stuff too - software, training, books, software, training... (sorry, I'm starting to repeat myself, I knew this would happen).

I once tried to explain computer forensics to a good friend of mine with little knowledge of technical matters. They said something rather insightful: "So, it's basically just copying stuff and looking at it?" Now, we all know there's more to it than that, but there's a kernel of truth in that statement which leads me to wonder about at least some of the pricing structures out there.

OK, rant over, and to some degree this is an "Aunt Sally". But not entirely...

Monday, April 07, 2008

The problem with power

Perhaps unusually for someone with an interest in computing, my knowledge of electricity - the driving power behind computers the world over - is sketchy to say the least. Beyond remembering which way to twist a light bulb and avoiding the temptation to stick a fork in the toaster, I'm something of a novice in understanding how this mysterious force actually works.

As a result, I was mightily impressed by Wiebetech's HotPlug device which Paul Mah recently blogged about at TechRepublic. Here's the YouTube video where James Wiebe explains how the system works:

Clever, huh? The downside is it's yet another box to drag along with you but, hey, us IT guys have got to get our exercise somewhere.

And for anyone else struggling to replace a light bulb (I'm sure there's a joke here somewhere) just remember: "lefty loosy, righty tighty". It even works with the Northern Hemisphere anyway :-)

Thursday, April 03, 2008


Ah, back in the blogging seat at long last!

Keen forumites will have noticed my recent post in the Legal forum asking for a little help in putting together some resources on licensing issues for computer forensics practitioners (tip of the hat to David for the suggestion).

There have already been a few very useful suggestions, in particular the map at would seem to be a very handy reference for investigators in the US. I want to stress that I'd like to include as many other countries as possible though, so if you're familiar with the relevant licensing procedures in your neck of the woods please reply to the forum post or PM me (note: I'm also including formal vetting procedures and the like under the heading of "licensing" where these are required in order to carry out forensic work - in other words the end result may not necessarily be termed a license in your local lingo).

On the subject of licensing, I have the impression it's (perhaps unsurprisingly) about as popular as a root canal in some places. Got a strong feeling about it? Post a comment and get it off your chest :-)

Tuesday, February 26, 2008

Computer forensics podcasts

While computer forensics blogs are quite easy to find, podcasts are somewhat conspicuous by their absence - not altogether surprising, of course, given the effort required to produce something worth listening to. In fact, the only one I listen to anything like regularly is Bret and Ovie's CyberSpeak, and despite being very enjoyable, even that doesn't always concentrate on purely forensic issues.

Does anyone have any other recommendations for computer forensic podcasts? Please leave a comment and I'll add them to the relevant links page for others to see.

Friday, February 22, 2008

Cold Boot Attacks on Encryption Keys

Already generating some discussion in the forums and elsewhere on the web is the recently released paper "Lest We Remember: Cold Boot Attacks on Encryption Keys" from researchers at Princeton University. The researchers' main finding is that data remains in DRAM for longer than generally expected. Furthermore, this period can be extended significantly by cooling the memory chips in question (a somewhat unsophisticated but effective methodology of achieving this cooling effect being the use of an inverted "canned air" canister!)

In addition to the paper, there is also a YouTube video:

In terms of the underlying principles involved, there's nothing particularly new here. Data retention in memory has been known about and discussed for a number of years. The paper is interesting, perhaps even important, for a number of reasons though. Firstly, the extent to which data remains available and the ease with which the window of recovery can be extended will be surprising to many. Secondly, in addition to the main finding the paper also discusses techniques used to reconstruct data where some amount of decay has occurred - potentially crucial in the recovery of encryption keys. Thirdly, it addresses one of the key challenges facing forensic examiners as the use of BitLocker and products such as TrueCrypt continues to grow.

As many commentators have already mentioned on news sites or blogs (including the researchers' own blog) the threats to security or opportunities for forensic analysis are highly dependent on a variety of factors - the state of a machine, the particular implementation of BitLocker in use, the speed with which cooling can be applied etc. In the real world, this would seem to represent a fairly limited threat to anyone who has had their laptop stolen by an opportunist thief, although situations where a device has been specifically targeted for the data it may contain are a different matter. I think it's much more interesting to consider the forensic possibilities and implications. How long will it be before this type of consideration becomes an integral part of our thought processes when preparing to seize a suspect device? What effect will existing legislation have on your actions? Why didn't I invent this technique when I cleaned my keyboard after having that sandwich for lunch?

Food for thought indeed...

Thursday, February 21, 2008

YouTube and the power of the dark side

Sharp eyed visitors may have noticed the addition of a Videos link to the Resources menu on the left hand side at Forensic Focus. The link is to a page of YouTube videos related to computer forensics - some instructional, some news reports and (such as "Cat Fancy".) I hope they're somewhat educational or at least mildly diverting. Needless to say please feel free to recommend further additions to the page.

You may notice that the top video is slightly larger than the rest. In theory this should be a sort of automated player which delivers a selection of computer forensics related videos by itself without needing me to specify them individually (the basic idea being that it picks up on keywords supplied when I set it up.) Well, that's the theory. In practice it doesn't seem to work too well - either it displays no videos at all or the ones it does show are unrelated to the subject area. Maybe the technology will improve, though, so I'll leave it in place for the time being.

An unexpected benefit of the poor targeting, though, is that it's introduced me to Chad Vader. I'm sure most of you cool cats have already seen this successful viral video series but for those who haven't, here's episode 1.

May the force be with you!

Friday, February 01, 2008

Lance Mueller's blog...and funny T-Shirt quotes!

Lance Mueller's blog - Computer Forensics, Malware Analysis & Digital Investigations - is definitely one of the better ones out there. Updated frequently, highly detailed, nicely illustrated (i.e. lots of pretty pictures) and with some newly posted forensic practicals it's a great resource to add to your blog tracker, especially if you're an EnCase user.

On a less serious note, don't miss this thread in the forums where we've been trying to come up with some suitably amusing quotes for a CF club fundraiser. I have to admit I like Harlan's suggestion, despite the somewhat disturbing imagery it conjurs up ;-)

Wednesday, January 23, 2008

Validating write blockers

In the Recommended forensic hardware thread in the Hardware forum I recently wrote the following about a hardware write blocker I'd just come across which I hadn't seen before:

I think this brings up the interesting question of how we (as practitioners) test the write blocking capability of new devices both to satisfy ourselves that they work as advertised and to be able to show that in court.

For the sake of argument, let's imagine that we *need* to use one of these IOI products (if we want to be specific we'll say it's the FW2ATA525-MR1-WP already mentioned) but it's not a device you've used or tested before, it hasn't been used in a court case in your area and you have only the manufacturer's word that it works properly. What methodology are you going to employ to test it in some formal sense?

In practice, I suspect most of us use write blockers which are seen as industry standards and have already gone through some form of validation procedure. Typical choices would be Guidance Software's FastBloc devices or something from the Tableau product line, both examples of items from well respected specialist companies. Not only have these devices presumably undergone extensive testing by manufacturers concerned to protect their reputation as industry leaders but we also have the results of independent testing to refer to, perhaps the best well known being the NIST hardware write block testing program.

What of new devices from relatively unknown manufacturers though? How do we reassure ourselves and the courts that they work as advertised? The obvious answer is that we test them ourselves but how exactly do we do that, what methodology do we use?

In theory, write blocking is easy to understand: we want to prevent any alterations to the attached evidence device while allowing all data to be retrieved. In practice the situation is more complex, there are many different commands which can be sent to a storage device from a variety of different components in a host computer (BIOS, OS, application software, etc.) and we need to satisfy ourselves that a write blocking device operates as expected (preventing alteration/allowing retrieval) under all circumstances. Similarly, testing methodologies can be either straightforward or complex. For example, compare the validation methodology suggested in the Helix manual:

This process is based on the National Center for Forensic Science (NCFS) 5 step validation process for testing write protection devices (Erickson, 2004). It was originally designed to test the Windows XP SP2 USB software write blocker, but has been adapted to test any hardware and/or software write blockers.

Step #1 – Prepare the media

a) Attach the storage media you will be testing with to your forensic workstation
in write-enabled mode.
b) Wipe the media - validate that this has been successful.
c) Format the media with a file format of your choosing.
d) Copy an amount of data to the media.
e) Delete a selection of this data from the media.
f) On the desktop of your forensic workstation create 3 folders. Call these Step-1, Step-2 and Step-5.
g) Image the media into the Step-1 folder and note the MD5 hash.

Step #2 – Testing the media

a) Remove and then replace the testing media into your forensic workstation.
b) Copy some data to the media.
c) Deleted a selection of this data from the media.
d) Image the media into the Step-2 folder and note the MD5 hash.
e) Validate that this hash value is ''different'' to that produced in Step #1.

Step #3 – Activate the write blocking device

a) Remove the media from your forensic workstation.
b) Attach and/or activate the write protection device.
c) Follow any specific activation procedures for the specific blocker.

Step #4 – Test the write blocking device

a) Insert the media into your forensic workstation.
b) Attempt to copy files onto the media.
c) Attempt to delete files from the media.
d) Attempt to format the media.

Step #5 – Check for any changes to the media

a) Image the media into the Step-3 folder and note the MD5 hash.
b) Validate that this MD5 hash is the ''same'' as the MD5 hash from Step #2.

with the methodology outlined by NIST in their test plan available at

If you're thinking the easy way round this is just to avoid the issue and buy one of the well known write blockers instead, the bad news is that testing your device (regardless of manufacturer) is almost certainly something you should be doing anyway. There's a good thread here in the forums discussing when and why write blockers should be tested.

Of course, we need to see validation within the wider context of the entire forensic process which involves, potentially at least, presenting evidence in court. As a result, there may be certain testing methodologies which are already specified or recommended wherever we find ourselves working.

I think I'm going to dig a little further into this and see what various agencies have to say. I'll report back when I have some news but in the meantime any thoughts or comments would be very welcome. How would you validate a new write blocker? Do you regularly test your existing device? How reliable are hardware write blockers (have you had one fail on you)? Let me know.

Tuesday, January 15, 2008

Events calendar updated

Just a quick note to say that the events calendar has now been updated with relevant events covering the rest of the year. If anyone know of other events which should be included (primarily conferences) please add them to the calendar by going to the appropriate day/days and clicking the "Add Event" button (I'll then review/approve the new addition). Thanks!

Wednesday, January 09, 2008

Computer forensics around the world

One of the interesting things about running Forensic Focus is seeing which countries our visitors are coming from. Of course, as an English language site it's not particularly surprising to note that a significant number of visitors come from the US and the UK. However, I'm always delighted to see just how many visitors come from other countries - not just other English speaking or Western European countries, but countries from every corner of the globe. Interest in computer forensics is certainly a worldwide phenomenon.

From some of the emails I've received over the past few years and posts to the forums (not to mention news items posted to the homepage) it's clear that the state of computer forensics differs widely from one country to another. What do I mean by "state"? A number of things, touching upon but not limited to issues surrounding: legislation, awareness, training, best practice, job opportunities, etc. It's also clear that things are changing and progress is being made in many places.

An opportunity exists for those of us in countries with more fully developed computer forensics infrastructures to assist newcomers to the field and, from what I understand, a number of countries are actively seeking experienced practitioners from outside their borders to assist with this process. That's not to say that building awareness and implementing change is a straightforward process, and no one knows a country better than its own citizens, but lessons learned elsewhere can often save valuable time and effort. Ultimately, though, computer forensics exists within a larger framework built around the use of and access to technology, the political climate, even social norms and values. The shape of forensic computing in one country may differ from that seen in other areas of the globe.

I'd be interested to hear what others think of the global state of our profession. Which countries are world leaders in computer forensics and why? Which countries are furthest behind? Is the development and use of high tech investigative powers always a positive thing? Please leave a comment!

Saturday, January 05, 2008

Training and education links page updated

The training and education links page at

has been updated. Links are now listed by country on separate pages and non-working links have been removed.

The procedure for adding a new link has also been simplified, just click here.

Friday, January 04, 2008

X-Ways interview and a few other items

For those who didn't catch last month's newsletter a quick note to say that Stefan Fleischmann has very kindly agreed to answer interview questions this month. If you have any questions about Stefan's X-Ways range of software products please feel free to post them to this forum topic. Alternatively, if you prefer, you can always drop me a line privately (email, PM or contact form). The X-Ways lineup includes not only X-Ways Forensics but also X-Ways Capture for live analysis and I for one am certainly looking forward to speaking to Stefan and learning more about both of these products. If there's anything you'd like to ask please don't let this opportunity go by!

In other news the forum discussion of recommended forensic hardware now finally has a summary page to go with it at

This should be very much a "living document" with updates and additions strongly encouraged - please use the forum topic mentioned above to continue the discussion.

Another topic which came up quite recently in the forums is that of report writing. This too now has a dedicated page at

and again I'd like to encourage further additions to this page (sample reports, relevant links and articles on CF report writing).

Finally, a quick plug for this post by kovar concerning terms of engagement. It seems to me this is another useful area for discussion, in particular for those in private practice, and at some stage will probably also warrant a separate page as a quick reference. Please help if you can!

Tuesday, January 01, 2008

Happy New Year!

A very happy New Year to all readers and all the best for 2008!

I'm looking forward to getting back in the saddle this month after the usual craziness of December. Hope everyone enjoyed themselves...see you soon in the forums!