Wednesday, June 30, 2010

Mobile Forensics Training: Investigating Connection Records (UK, Aug 23/24)

This month sees the launch of the Forensic Focus Preferred Training program which aims to highlight the very best digital forensics training available.

The first course offered is "Mobile Forensics: Investigating Connection Records" delivered in the UK by Sam Raincock of SRC. This is a 2 day course providing in-depth analysis of connection records and a comprehensive overview of cell site analysis techniques. A 10% discount is available for a limited period.

Further details at

Windows Search forensics

by Joachim Metz

While some may curse Windows Vista for all its changes, for us forensic investigators it also introduced new interesting 'features'. One is the integration of Windows (Desktop) Search into the operating system. Most corporations have been reluctant to adopt Vista, however more and more Windows XP systems are being replaced by Windows 7 equivalents. Windows 7 also contains Windows Search and enables it by default. It actually can be challenging to disable it so one can conclude that Windows Search is becoming a relevant source of information in forensic analysis of Windows systems.

What is not widely known is that Windows Search uses the Extensible Storage Engine (ESE) to store its data. This is the same engine that Microsoft Exchange uses. Because ESE uses a propriety database format, little information about it is available in the public domain. As a consequence, it is unclear how well different forensic tools support the ESE database format.

Several years after the introduction of Windows Vista and Windows Search, currently only a handful of forensic analysis tools seem to provide support for the Windows Search database even though a Windows Search database can be a valuable source of evidence. This paper provides an overview of the ESE database format and the Windows Search database and what it might contribute in your investigations...


Tuesday, June 29, 2010

Computer Forensics - sometimes it’s all about timing

by Sam Raincock

When a crime happens, the time of the events may be critical to the legal case. However, how are these times established? Is it the time alleged by the witness? When the CCTV system captured the image? When the computer said the person left their home? When the satellite navigation system recorded they arrived? When the mobile was cell sited in the area? Or is it all of the above?

There is an abundance of studies addressing the accuracy of witness evidence. However, what about the accuracy of times provided by witnesses?

- I know it was 13:05 because I looked at my watch

- I walked past the newsagents and it was open so it must have been after 13:30

- I had just had my lunch, watched the news and left at 13:40

Without looking at your watch/clock (or computer), what time is it? What time does your watch/clock say? What time is it really?

Just like humans, digital devices may tell the incorrect time. In fact, they often do. Hence, when analysing events, it is crucial to compare like with like, otherwise the chronology may become scrambled and the evidence contradictory. In this article, I will discuss the issue of accurate digital device time and some basic techniques to assist in questioning and approximating the correct timings...


Friday, June 25, 2010

Forensic Focus 2010 survey

The Forensic Focus 2010 survey is now online at

The survey should take no more than 2 or 3 minutes to complete and does not require any personal or contact information.

This year the survey has been expanded to include more detailed questions on employment issues with the aim of identifying trends across the industry which can be reported back to the Forensic Focus readership.

Thank you very much in advance for completing this short survey, your responses will have a direct influence on the future of Forensic Focus and I hope provide useful information to everyone working in this field.

Tuesday, June 22, 2010

Unusual devices

by Sean McLinden

In 2007, New Jersey Governor Jon Corzine made the news twice for a single event. The first time was the report of a car accident on the Garden State Parkway in which he was seriously injured. The second time was a report, which appeared a few days later, detailing how the governor's account of the accident had been contradicted by a witness, his automobile. Since 2000, most US cars have been equipped with a :black box” known as the Motor Vehicle Event Data Recorder. Standards for a common data set, including protections against data theft, altering of vehicle information, odometer fraud and misuse of collected data on owners and drivers are the subject of the IEEE 1616a Standards for Motor Vehicle Event Data Recorders (MVEDRs). In spite of such protections, a number of states have enacted privacy protections which regulate the recovery and use of such data.

A 2007 Computerworld article was entitled Photocopiers: The newest ID theft threat. In 2010, CBS News was able to recover Personal Health Information, and other personally identifiable information (PII) from the hard disk drives of copiers found in a warehouse in New Jersey. These copiers had been leased by various health care, law enforcement, financial and other institutions.

The focus of these stories was the risk to personal privacy, but to forensic examiners and eDiscovery personnel, there is a more significant issue which is, When does the data contained in such devices constitute evidence deserving of preservation and a possible subject of discovery? More importantly, perhaps, is determining when a thorough investigation demands the investigation of information contained in a peripheral not, normally, the subject of a forensic examination?

A couple of recent cases presented to our offices illustrate when and how such concerns arise.

Case 1: A branch office of a financial services company becomes concerned that confidential information is in the possession of unauthorized employees and outsiders. This arises after a client notices a securities trade that was undertaken on their behalf but without their knowledge or consent. Internal IT personnel examined each of the office computers and found no evidence of malware, keyloggers or possession of PII except by authorized personnel. An outside digital forensics (DF) firm was brought in to investigate and found no evidence of an intrusion or extrusion. A former IT administrator was the principle suspect but he had been gone for over 6 months and his account disabled. A second DF firm was brought in to confirm the findings of the original firm.

The second firm noticed, as did the first, that the small office used a Linksys wireless access point (WAP) in lieu of a wired network. Interviews with, then, current IT personnel and attempts to “sniff” the wireless network confirmed that WPA2-PSK was used and that the key was strong. The SSID was not advertised. Using the Web administrative console, the second DF firm determined that the firmware was not the Linksys default, but a modified kernel based upon Sveasoft Talisman. Further examination showed that it had been configured for port mirroring, something which was, also, not the default. The former IT administrator had set up a rogue access point which, effectively, doubled as the secure access point for the business...


Thursday, June 17, 2010

Flash drives and acquisition

by Dominik Weber

Dominik Weber
About the Author

Dominik Weber is a Senior Software Architect for Guidance Software, Inc.

“Take a look at this”. It started simply with that.

A co-worker was looking into some strange issue with an acquisition of a flash drive. It seemed that the acquisition hash changed every time the drive was acquired. The write switch was off. Even a software or hardware write blocker did not prevent this odd effect.

My co-worker did isolate some sector differences between the individual acquisitions. She found out that it was a series of sectors located in “Unallocated Clusters”

While looking at the real sector data it changed every time the sector refreshed. It was a series of hex patterns like “44 00”; sometimes they would change to “40 00”, “18 00” or “00 00”

Then we used a disk editor to read the same sector and the same behavior persisted. Same results with other tools. On different computers.

The Hardware

I then paused and thought about the way most flash drives are created. A controller chip sits on the USB bus and communicates with the host machine and the actual flash storage chip. The flash storage chip is usually a flat, thin rectangular chip with a series of pins on both sides. Some flash drives have more than one such flash chip.

The controller is responsible for performing the actual sector writes/reads. Should the write switch be set to “read only” mode at device insertion time, the controller would tell the host that this drive is read-only and ignore / fail out write requests. The host on the other hand then would use this bit of information in the file system driver and mount the drive in read-only mode.

For instance the $Log file on improperly dismounted (“dirty”) NTFS drives would not be processed in order to roll back partial transactions.

Furthermore, the controller usually drives a LED to show disk activity and that the device actually is plugged in...


Publication: an ethical dilemma for digital forensics research?

by Chris Hargreaves

Chris Hargreaves
About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

Ethical issues in science are commonplace; examples such as cloning, climate change and genetic engineering are all subject to different ethical debates. Some subjects have clearly defined areas of potential ethical problems, for example in Psychology much consideration is given to the welfare of human participants involved in any experiments conducted. This would involve the consideration of concerns such as participants’ confidentiality, privacy, consent, right to withdraw etc. However, the welfare of human participants in experiments is not the only form of ethical debate and in some research areas there are other particular issues, such as animal rights, or indeed whether a particular technology should be researched at all. This article is not an attempt to identify all the potential ethical issues that digital forensics research could be subject to, but instead highlights a particular issue -- the potential impact of making the results of some digital forensics research publicly available.

To take a simple (and fictitious) example, in the case of research into ‘evidence removal’ tools, if research into a product revealed that while the software removed evidence from several locations on the disk, there were also several other locations where evidence was not erased and could therefore be recovered. From a forensic point of view these are very interesting findings and it would be beneficial to share these results so that when the use of this particular product is encountered in an investigation, evidence could be more easily recovered. However, the publication of these results also has adverse consequences. Firstly, users of that software who run it in an attempt to hide evidence of unlawful activity may then decide to switch to a more effective product that does erase the data areas in question. Secondly, the developer of the software may decide to take the published research and use it to develop updates that fix the problem so that the software now erases the locations in question. In both of these cases, the publication of the results could mean that in future, an analyst may be deprived of useful evidence...


Thursday, June 03, 2010

Interview with Sam Raincock, Sam Raincock Consultancy

Forensic Focus: Sam, can you tell us something about your background and how you became involved in computer forensics?

Sam Raincock
Sam Raincock

Sam Raincock: Prior to university, I’d never considered computing as a potential career; in fact, I hadn’t really used computers apart from playing games. I decided I wanted to be a physicist and solve the world’s particle physics problems. After embarking on a physics degree, I became more interested in computers (even though they were running 3.1 and Solaris!) I made the radical decision to change my degree course to a BSc in computer science even though I was a complete novice in the area. However, I learnt very quickly and really enjoyed the challenges and problem solving. I was also lucky to work in two summer internships in IT departments at Morgan Stanley during my degree, so I at least had an appreciation of bigger businesses.

After my undergraduate degree, I embarked on research into the human factors involved in 3D imagery on 3D display systems – again a completely different area from my previous computing experience. However, I liked the mathematical challenges and the combination with human vision psychology. At the same time I was also working in contracting in web development and providing tutorials in all different types of computer science for undergraduates. I really enjoyed the teaching but I found being a programmer quite monotonous – it was a great insight into proving that a full time role in computer programming was not for me.

The research time and ability to develop a questioning mind is invaluable in my career today but after a few years of academic research I was really looking for a business driven challenge. An opportunity with Keith Borer Consultants, a forensic science company based in Durham, was presented to me and I started working as a mobile telephone/cell site examiner. There was lot of flexibility and encouragement and I was able to perform research and development into whichever digital fields I wished to explore - so I opted for them all!

Forensic Focus: What services does Sam Raincock Consultancy offer? What is a typical working week like?

Sam Raincock: The business is primarily concerned with providing a combination of computer investigation/expert witness services and IT security assessment services to corporates and solicitors alike. I love solving complex problems so I particularly enjoy computer forensic cases involving technically complex scenarios/problems or software system assessments (how does software A produce B logs and what do C logs actually mean).

In the telecommunications field, SRC can offer a full range of services but primarily concentrates on taking expert instructions in complex connection record and cell site analysis cases and providing advice to other companies in these types of cases.

My current passion is working in the breadth of the IT security fields with particular interest in ISMSs, the effective use of encryption, procedures for forensic labs, corporate investigations, process improvement post incident and the ISO 27001 standard. Very recently, I was accepted to work as an assessor with A2LA regarding digital and telecommunications lab assessments. I am very excited to be a part of the American new forensic lab standards.

I also provide training in all of the above and in my ‘spare’ time I write papers and perform research. I am also studying for the CISSP and ISO 27001 lead auditor certs.

Currently, a typical week is very long – around 80 hours if not more. Working in so many fields is quite a challenge but there is also the business element too – I have become my own accountant, marketing manager, IT Manager etc. However, I love the all round skills it is providing me with and how it enables me to work with a diverse range of partners, bodies and clients...