Monday, May 24, 2010

EnCase file copying and Windows Short File Names

By Lee Hui Jing, EnCe

A couple of months ago, one of my clients, an Investigating Officer from a Law Enforcement Agency, had requested me to extract some of the files from an image copy of a hard disk. The total number of files to be copied was 1,030. Sounds easy right? This job of a few clicks turned out to be a nightmare when I found out that I was short of 2 files in my destination folder. I had selected 1,030 files to be copied, but at the end, only 1,028 files were being copied. More surprisingly, I received output from the EnCase Copy operation; ‘Status: Completed’. But where did the other 2 files go? Why had EnCase produced ‘Status: Completed’, when actually, 2 files were missing? Referring back to the image copy, I found out that most of the files had the same filename as each other.

It is very common for an analyst to face evidence files which have the same filename. This circumstance exists when:

1. There are 2 files with same name, but they are put in different folders.
2. There are 2 files with same name, but with different MAC times.

A procedure to be followed before analyzing a case is to recover all files and folders. When you use recover options, the deleted files will be recovered, and sometimes these deleted files have the same file name as the existing files, but with different MAC times.

But is it possible that EnCase can fail to copy all the files under these circumstances? For those readers who are new to EnCase, you may ask, why do you need to copy the evidence file in the first place? Let me try to put it simply, in computer forensic methodology, after the analysis phase, we will present the findings to our clients. So usually what we do is to copy out the evidence files using EnCase so that our clients can access the files in their workstation, without looking at the whole hard disk image. So the real question now is how sure are you that the selected files are properly copied to your designated folder? Is it sufficient to rely on the EnCase notification window after the EnCase copying process has been executed?


Friday, May 14, 2010

Positive predictive value and digital forensics

by Sean McLinden

In my last column, I discussed the concept of prior probability, that is to say, the likelihood that that conclusion A can be derived from fact B with no additional data. In medical diagnosis, prior probability is estimated in order to determine the need for and type of additional investigation.

Another tool used by clinicians is that of the positive predictive value (PPV). In essence, the PPV is the likelihood that a positive value for given test will confirm the operative hypothesis (diagnosis). Given all things being equal, choosing the procedure with the highest positive predictive value will be the single most useful step in confirming the clinician’s suspicion.

Of what relevance is this to digital forensics?

As I commented on, previously, it appears that US courts, especially civil courts, are increasingly limiting the scope of discovery out of concerns that discovery may violate expectations of privacy or be too burdensome to the producing parties. In a recent case in which I was involved, the judge required the requesting party to propose an alternative to production of forensic images of an entire enterprise network’s computers solely to search for possible instances of the plaintiff’s intellectual property (engineering drawings) located on the defendant’s computers. Instead, the court restricted the discovery to only those devices which were used to store or manipulate files of the same type as the engineering drawings and, of course, to only those documents which were reasonably accessible.

In addition, some judges are now following the principle of “one bite of the apple”, i.e., limiting production to a single request. Not surprisingly, though not always successfully, this has led to the notion of discovery for the purpose of discovery; the classic slippery slope...


Thursday, May 13, 2010

Security metrics - proving you've made a difference

by Simon Biles

Simon Biles
About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

Language is a funny thing – even though we may speak the same basic language, the nuances, construction and vocabulary is very individual. I find listening to my children a wonderful thing – sometimes I hear either my words, or those of my wife, but more often I hear distinct phrases and words that are unique to them. This month, they have challenged me, in an oft played game, to insert words that are uniquely theirs, and not mine, into this column – so, embedded somewhere in the next eight hundred or so words are two words that have been given to me – I’ll publish the name of anyone next month who can tell me which two they are!

Given that two people may interpret any given word in vastly different ways depending on their backgrounds how do we ensure there is a consensus of understanding? We operate in a field that has very definite concepts – true or false, on or off, zero or one – binary choices. There are few shades of uncertainty (all smart comments about quantum computing to /dev/null please) – it’s there or it isn’t, and unless we are called upon to give our opinions as experts, we are bound, at least ethically if not legally, to make statements of fact. I personally find it an immense problem though, that so often there are not really clear definitions of terms – or at least not clear definitions that you can easily present to a customer (or worse, a jury).

To add further problems, for me at least, I subscribe to a code of ethics that prohibits the use of “FUD” in dealing with customers (see “Fear, Uncertainty and Doubt” have to be the biggest drivers in Information Security sales as a quick survey of some major security vendors supports:

“… cyber cold war, with critical infrastructures under constant cyberattack causing widespread damage” – McAfee (fear of attack)

“Do you know where your data ends up?” – Checkpoint (uncertainty)

“Today's attackers evade traditional security solutions, leaving your business vulnerable to data theft.” – Symantec (doubt in your “traditional” solution)

Having put up these examples, I had a moment of paranoia and had to check my own website just to be sure – it really is a very easy thing to do - “pas de touché” fortunately!

So where does this leave us?


How encryption affected my life

by Dominik Weber

Dominik Weber
About the Author

Dominik Weber is a Senior Software Architect for Guidance Software, Inc.

Encryption and the lack thereof changed my life. In the early 1990’s I realized that encryption is very underused and in the near future it will become essential for most people and companies. At that time, hardly any user encrypted any data. Even in the financial sector, good encryption was applied seldom. Thus, I chose the focus of my Masters in Computer Science to be Cryptography. My thesis was researching the synergistic properties of compressing data before cryptographically hashing it.

When the large forensic company I am currently working for decided to create an Enterprise-Level product, I worked on cryptographic protocol, the Authentication and Encryption Algorithms, their FIPS 140-2 validation and implementation. This took a long time, proving the well-known fact that well designed protection is not a simple or quick task. The proper selection of algorithms, threat modeling, secure coding practices, entropy and key management are just some of the many facets I had to address. Finally my co-inventors and I obtained a patent protecting this intellectual property.

I was very careful because I knew firsthand how disastrous a lack of protection can be - it was the trigger for my divorce...


Friday, May 07, 2010

Peer review: pros and cons

by Chris Hargreaves

Chris Hargreaves
About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

Traditional academic publications are peer reviewed, e.g. journal papers and conference proceedings, and there are now many examples of these that specifically cover digital forensics (e.g. Digital Investigation, Journal of Digital Forensic Practice). However, a considerable amount of useful forensic research is available from what are, in traditional academic terms, considered to be less reliable sources of information (including resources such as blogs, non-peer reviewed papers and forum posts). This article highlights the strengths of these media for distributing results of digital forensic research, but also discusses the value that is added when even a brief discussion of the methods used to obtain the results, and an open discussion of the limitations of the research is included when posting results online.

One of the main advantages of peer-reviewed publications in a journal or in conference proceedings is that one or more other people in the field have examined it and they have independently decided that the paper is suitable for publication. This peer-review process ensures that the author has discussed and explained contradictory theories and considered whether the results obtained are general or due to carefully chosen specific experiments. It also ensures that conclusions drawn are well supported by evidence and that enough information is contained for experiments to be repeated and the results verified. The criteria by which a publication can be judged as suitable can vary, but is also likely to include criteria such as technical accuracy, whether the results can be generalised, relevance, timeliness, etc. This process is in place to ensure that the published work has a certain level of quality...

Read more