Tuesday, November 29, 2011

Forensic Toolkit v3 Tips and Tricks ― Not on a Budget

by Sean L. Harrington

"A couple of weeks ago, Brian Glass posted a very helpful comment, Forensic Toolkit v3 Tips and Tricks — on a Budget. His comment focused on how to “get close to SSD performance on the cheap” and he discussed the practice of partitioning a large hard drive, but using only the outer sectors of the platter, and frequent defragmentation. In my comment, today, I want to encourage readers to adopt Glass’ advice, and, if you have the budget, to consider a few other enhancements to improve performance..."

Read more

Is your client an attorney? Be aware of possible constraints (Part 2)

by Sean L. Harrington

"In my first post several weeks ago, I discussed some of the special obligations that digital forensics investigators may have while in the employ of a lawyer. I elaborated briefly on the duty to zealously guard the attorney-client privilege, to correctly apply the work product doctrine, and to conduct investigations in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party. In this second part of the series, I will explore another important factor for consideration by examiners: the legality of investigative techniques..."

Read more

iPhone Tracking – from a forensic point of view

Posted by 4rensiker

"iPhoneTracking is sexy! Every mobile forensic suite, at least the ones dealing with iPhones, are providing it proudly. iPhoneTracking also has been a hot topic in the media all around the globe. People stated that there is a way to display every step of an iPhone user ever since the device got bought. Hmm...sounds great for all kind of investigations! Let’s see..."

Read more

Android Forensics Study of Password and Pattern Lock Protection

Posted by Oxygen Software

"Let’s see what Pattern Lock is, how to access, determine or even get rid of it? We’ll also speak about Password Lock Protection and find out what it has in common with Pattern Lock. And finally we’ll try to understand how these locks are related to forensic investigation process. Generally pattern lock is a set of gestures that phone user performs to unlock his smartphone when he needs to use it. It seems to be complicated, but actually it is not..."

Read more

Skype in eDiscovery

by Stuart Clarke, 7Safe

"The EDRM (Electronic Discovery Reference Model) is a widely accepted workflow, which guides those involved in eDiscovery. Typically, the identification and collection phases see email and common office documents harvested, but as technology moves forward is this enough? Many of us are experiencing a rise in audio discovery projects using solutions including phonetics and speech to text. In time this is likely to move onto rich media, in particular video. As a forensic analyst, I know only too well the variety of different data sources which are overlooked in electronic disclosure exercises, yet I appreciate the strong argument of proportionality. Nevertheless, it is relatively straightforward to circumvent some proportionality claims with the appropriate skill sets and techniques. Throughout this article I will discuss proof of concept solutions dealing with Skype in eDiscovery..."

Read more

Forensic Toolkit v3 Tips and Tricks – On a budget

Posted by Brian K. Glass

"While researching FTK 3X and Oracle, you just recently discovered that the best configuration of your Oracle database would be on a solid state drive (SSD). Solid state drives give the maximum level of performance to Oracle databases and in turn speed up your FTK 3X responsiveness. You are a conscientious analyst and decide to try reinstalling your database on a SSD. You approach your boss, who is not a techno geek, and ask him to purchase a 256GB high performance SSD..."

Read more

Anonymous, what does it mean?

Posted by forens245

"Anonymous, a word which Merriam-Webster describes as: of unknown authorship or origin, not named or identified, or lacking individuality, distinction, or recognizability. There are some in this world that wish to remain anonymous, not named or identified. Sure I am one of these people, but I have my reasons. With the work that I do, clinging to my anonymity is how I keep myself safe, out of harm’s way. There are many people that would like to see me hang for what I’ve uncovered about them..."

Read more

Friday, October 07, 2011

YouDetect – Implementing the principles of statistical classifiers and cluster analysis for the purposes of classifying illegally acquired multimedia files

Author: Jonathan Murphy, 7Safe

Whilst all instances of the illegal acquisition of multimedia are not known, it is not possible to gain a complete loss value, but a loss of $12.5 billion has been suggested by the IPI. Continued response as a means of protecting the media companies and the income they receive from legal sales continues as copyright enforcement attempts to eradicate illegal downloading. This is forcing those who support the legal downloading material to invent new and more creative means to adapt technology to achieve an end to their means. ‘YouTube Downloader’ (YTD) is a proof of concept which allows the user to download videos (of any nature) from a number of video streaming websites simply by entering the URL of the video they wish to download. Whilst the application is specifically named after the website, YouTube.com, videos from many other websites can be acquired in this manner. The software allows the user to convert this video to a variety of multimedia formats including .mp3 and .avi. The individual can then view on these files on any supporting media device or computer. In the case of copyrighted material, the individual who uploaded the material to YouTube in the first instance, as well as the individual who then ‘reproduced’ the material by extracting the video file have infringed on copyright law. As of September 2011, YTD has received approximately 85 million downloads via software download website, ‘CNET.com’ making it the most commonly used tool of its type by a significant margin. Yet, for something which significantly assists and supports illegal downloading and multimedia piracy so significantly, little has been done to develop a suitable response...

Read more

Advice for Digital Forensics Job Seekers

by Joe Alonzo

You see the job advertisements posted on the web everyday, Digital Forensics Analyst, Internet Investigator, Computer Forensic Associate. You hit the Apply Now button, often never hearing back from said company.

Your background may consist of computer programming/IT, network security or possibly even a background in law enforcement. You ask yourself, “How do I get the attention of this organization and get them to hire me?”

Working for the leader in Computer Forensics and eDiscovery recruiting and seeing all the good and bad candidates have done, I can give you some great insight on how to get your dream job...

Read more

Tuesday, October 04, 2011

Forensic Toolkit v3 Tips and Tricks – Re-indexing a case

by Brian K.Glass

This is the first in a series of articles that will cover topics concerning AccessData Forensic Toolkit (FTK) version 3.

So you’ve created a case in FTK 3.X / Oracle and added 20 forensic images of seized computers and assorted media which previously had been successfully processed and indexed. You’ve worked on this case for weeks, painstakingly searching and bookmarking thousands of keywords provided by Inspector R. Runner who has been investigating the Acme Corporation.

Monday morning you come to work and fire up your FTK cluster, open your case, go to Indexed Search, type in the keywords Wile E. Coyote and Ka-Blam!! You get an error message saying a Search Request Error has occurred (Figure 1.) What happened, it was working fine on Friday?

Read more

Thursday, September 29, 2011

Is your client an attorney? Be aware of possible constraints on your investigation. (Part 1 of a multi-part series)

by Sean L. Harrington

Significant legal and ethical challenges confront digital forensics investigators, for which some may not be well prepared. Just as many lawyers may be confounded by technology in dealing with digital forensics matters, many digital forensics experts lack formal legal training, and are uninformed about their special obligations in the employ of a lawyer. These obligations include zealously guarding the attorney-client privilege, applying the work product doctrine, developing reports, exhibits, and testimony (that are both admissible and understandable to a lay jury or judge), and conducting their work in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party.
In certain situations, such as where digital forensics examiners serve as special masters (see Fed.R.Civ.P. 53) or third-party neutrals (see Model Rules of Prof’l Conduct R. 2.4 cmt. 1), they are regarded as officers of the court.

The use of a third-party neutral has significant advantages. See, e.g., Craig Ball, Neutral Examiners, Forensic Focus, http://www.forensicfocus.com/index.php?name=Content&pid=346.  First, as an officer of the court, the expert is subject to the court’s inherent powers, thereby providing an extra measure of accountability for misconduct (e.g., confidentiality breaches).  Second, a third-party neutral is ostensibly impartial, which impartiality presumptively aids in the fact-finding process and administration of justice. Third, the third-party neutral is aptly situated to resolve discovery disputes, including issues of confidentiality, relevance, and privilege, and, if necessary, obtain court intervention or in camera review to resolve such disputes.

But if the examiner is not appointed by the court, but rather is retained by a party to an adversarial proceeding, he or she is nevertheless obliged to ferret out the truth...

Read more

Thursday, September 22, 2011

Publishing articles at Forensic Focus

Forensic Focus is always keen to publish articles, papers or blog posts of interest to the digital forensics community. Articles are published not only online but also included in the monthly newsletter (sent to over 12,00 subscribers) and promoted via our homepage/RSS feed, Twitter, LinkedIn and Facebook accounts.

This is an excellent way of raising your profile or promoting your blog and items for publication are welcome from anyone working or studying in the field.

To register as an author and start publishing at Forensic Focus, please use the form at http://articles.forensicfocus.com/contact/

Monday, September 19, 2011

What is “good enough” information security?

by Simon Biles

I have, occasionally in the past, mentored people in (on?) Information Security – once for money (this is not a revenue stream that I’ve mastered by any stretch of the imagination!), but more often than not, informally and infrequently. What there is in common with most people who are keen, but still a bit wet behind the ears, is an idealistic world view where Information Security, as a totality, can be obtained. It sometimes seems a bit like kicking a puppy to have to break it to people that, irregardless of how long, how much money and how much technology you throw at something, it will still have vulnerabilities and risks. Even the proverbial “unplug it, stick it in a safe and throw away the key” is still vulnerable. I’ve seen “Oceans 11″ – I know what can happen to a safe.

The reality is what we do for a living is to make security “good enough” – we are risk managers, risk mitigators, risk avoidance and risk acceptance professionals. We know what can happen, and then we decide if spending £x on it is worth it. Where we go wrong, inevitably, is that we sometimes have absolutely no idea about the value of the asset that we are protecting. How can you determine if a countermeasure or control is appropriate if you don’t know this figure? The real problem is that very often the business has no real idea either...

Read more

Wednesday, August 24, 2011

Obtaining Information from Mobile Devices in Criminal Investigations

by David W. Bennett

Mobile device forensics is the process of recovering digital evidence from a mobile device under forensically sound conditions and utilizing acceptable methods. Forensically sound is a term used in the digital forensics community to justify the use of a particular technology or methodology. Many practitioners use the term to describe the capabilities of a piece of software or forensic analysis approach (McKemmish, 3). Mobile devices vary in design and manufacturer. They are continually evolving as existing technologies progress and new technologies are introduced. It is important for forensics investigators to develop an understanding of the working components of a mobile device and the appropriate tasks to perform when they deal with them on a forensic basis. Knowledge of the various types of mobile devices and the features they possess is an important aspect of gathering information for a case since usage logs and other important data can potentially be acquired using forensics toolkits.

Mobile device forensics has expanded significantly over the past few years. Older model mobile phones could store a limited amount of data that could be easily obtained by the forensics investigator. With the development of the smartphone, a significant amount of information can still be retrieved from the device by a forensics expert; however the techniques to gather this information have become increasingly complicated...

Read more at http://articles.forensicfocus.com/2011/08/22/the-challenges-facing-computer-forensics-investigators-in-obtaining-information-from-mobile-devices-for-use-in-criminal-investigations/

Tuesday, August 23, 2011

An in-depth analysis of the cold boot attack: Can it be used for sound forensic memory acquisition?

by Richard Carbone

The purpose of this technical memorandum is to examine the technical characteristics behind the cold boot attack technique and to understand when and how this technique should be applied to the field of computer forensic investigations. Upon thorough examination of the technique, the authors highlight its advantages, drawbacks, applicability and appropriateness for use in the acquisition of computer memory contents. The original cold boot attack paper, as conducted by a team of students and researchers in 2008, demonstrated the usefulness of computer memory remanence and how this phenomenon could be used to defeat popular disk encryptions tools and other data hiding techniques necessary for the safe storage of secret data and information. However, the technique is not a panacea and has many drawbacks dictated by the laws of physics, which cannot be overcome by the technique...

Read more at http://articles.forensicfocus.com/2011/08/21/an-in-depth-analysis-of-the-cold-boot-attack-can-it-be-used-for-sound-forensic-memory-acquisition/

Monday, August 22, 2011

Google History Forensics

by Craig Ball

Craig Ball
About the Author

Craig Ball is a Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery.

In my last Forensic Focus column, I touched on migration to handhelds and the cloud, mushrooming drive capacities and encryption-by-default as just some of the factors auguring the eventual extinction of conventional digital forensics. But an end to old school digital forensics is no threat to examiners who evolve. There will be plenty to do for those adapting their skills and tools to new sources and forms of information. We will learn to read new tea leaves.

Happily, for every source of forensically-rich information that fades away, others emerge. For every MacBook configured to wipe deleted data, there’s an iPhone storing screenshots and typed text. When webmail shooed away some of our ability to locate messaging artifacts, social networking and geolocation wandered in with stories to tell.

Now and then, the emergent sources just seem too good to be true.

Case in point: Google History.

Certainly, forensic analysts routinely look at Google searches locally; parsing Internet activity to assess what the user searched and surfed: “Nude children.” “How to make chloroform.” “Wipe a hard drive.” It’s compelling evidence.

But, as users grow savvy about covering their tracks, we see more cache deletion and deployment of antiforensic “privacy” tools designed to deprive us of the low-lying fruit. It’s potentially “spoliation” on the civil side and “obstruction of justice” on the criminal side. On both sides, proving it helps justice be done.

Then again, data can disappear innocently, too. Oliver Wendell Holmes, Jr., observed that, “Even a dog distinguishes between being stumbled over and being kicked." Discerning evil intent—mens rea in the law—is crucial to deciding whether and how much to punish actions that result in lost evidence. One way we demonstrate intent is by showing the planning that preceded an act. We reasonably infer intent to destroy evidence from web searches seeking ways to make evidence disappear.

But what do you do when the data destroyed is the evidence of intent in its destruction?

Read more at http://www.forensicfocus.com/craig-ball

Friday, July 29, 2011

Important Changes to "Articles & Papers" Section

From today, the section where we display user submitted articles and research papers is changing significantly. Users will now be able to upload, edit and publish their own articles.

The URL for the new section is http://articles.forensicfocus.com/

If you would like to submit an article or paper please email admin@forensicfocus.com so that we can start the process of setting you up with an account (separate from your normal Forensic Focus account).

Wednesday, June 29, 2011

Interview with Scott Burkeman, Warner Scott Recruitment

Scott is a Director at Warner Scott Recruitment in London, specialising in computer forensics recruitment throughout the UK and abroad.

Forensic Focus: Can you tell us something about your background? How did Warner Scott Recruitment come into being?

Scott Burkeman: I have been involved in Forensic Technology and Fraud recruitment for over a decade, working for an international recruitment firm and more recently with Warner Scott. I initially began placing Senior Forensic Accounting professionals prior to the boom in Computer Forensics. Many of my clients were looking to develop Computer Forensic teams from scratch and asked me to get involved in the recruitment of Forensic Technology candidates to assist in their growth plans. Since then, the rest is history!

Warner Scott Recruitment was set up in 2006 as a specialist recruitment consultancy with the vision of developing long-standing, meaningful relationships with both our candidates and clients. We have a strong focus on the Computer Forensic and eDiscovery market and are one of only a handful of specialist consultancies that have a dedicated team focusing in this area.

Many of the candidates we have placed over the years are now our clients and vice versa. We pride ourselves in our market knowledge, deep relationships and a strong understanding of the markets we operate in. We are fortunate enough to work on many roles on an exclusive basis as our clients trust us enough to find the best people in the market.

The Computer Forensic area is an extremely unique market to operate within and has some wonderful characters and personalities that make this area a pleasure to work in.

Forensic Focus: What services do you offer to digital forensics jobseekers?

Scott Burkeman: We are more than just a recruitment firm. As well as placing candidates into roles, we offer career advice and counselling, coaching, CV advice, interview tips and much more. As mentioned above, we are keen to develop long term relationships with our candidates, so if anyone fancies a chat about the state of the market, is looking to benchmark their salary or just wants some career advice, please do not hesitate to call us, or pop in to see us for a coffee and chat.

Forensic Focus: What is the current state of the digital forensics job market? Which sectors are hiring?

Scott Burkeman: The market has been up and down in recent years, which has been characterised by the state of the wider economy. With the government cuts in public spending, there has been much uncertainty within the public sector, which has resulted in some redundancies. Many private sector companies which previously had large government contracts have had to adapt and change to accommodate the loss of work.

However, the eDiscovery & Litigation Support market continues to remains buoyant as well as the Data Analytics arena. The large consultancy firms and international boutiques are still hiring the best candidates and increasingly Banks and Corporates are approaching us to help fill in-house Investigations roles.

With the increase of Anti Money Laundering (AML) projects and the introduction of the Anti Bribery & Corruption Act this year, the demand for Forensic Technology experts with strong corporate investigations experience remains high...

Read more at http://www.forensicfocus.com/scott-burkeman-interview-290611

Tuesday, May 24, 2011

Scott Moulton’s “5-Day Data Recovery Expert Certification” Course

reviewed by by Karlo Arozqueta


Just about every individual who is immersed in the Information Technology field has either personally experienced it, or knows someone who has: The hard drive “click of death”. For most, this sound is the start of a downward spiral of doom and depression and eventually a large bill from a data recovery company. For some, however, this is the beginning of a new field of interest in technology. There is only one problem: The field of hard drive data recovery is one that is still shrouded in secrecy and misinformation. How can someone break into an industry where advice is doled out in hushed tones and newcomers are shunned and told to seek professional (read:$$$) help?

Scott Moulton has been trying to change that, and is one of the few individuals teaching a vendor-neutral data recovery class to the public. I attended one of Scott’s 5 day training classes in 2009, and have kept up with him as the course has grown. In an effort to assist other individuals in deciding if this course is worth taking, I opted to write this review. Please note that while my personal attendance of the course was in 2009, I routinely volunteer to assist in these courses (for free) when they come to my geographic area of Washington DC, so this information is current as of May of 2011. Also, while the term “hard drive” has now become the catch-all term, the course material covers recovery of both traditional mechanical hard drives and touches on the latest recovery technologies for flash based devices like USB thumb drives and Solid-State Drives (SSD).

This class is appropriate for any individuals who have a solid understanding of computer forensics and filesystems and want to take their knowledge to the next level in terms of understanding exactly how data is stored on the drive, how the device works, and how it can be recovered when conventional imaging techniques fail. This was my primary reason for attending the course. The class is also appropriate for any individual who wants to approach data recovery as a means to expand their computer-support business and wants to add DR (data recovery) as an additional service...

Read more at http://www.forensicfocus.com/scott-moulton-data-recovery-review-200511

Standard Units in Digital Forensics

by Chris Hargreaves

Chris Hargreaves
About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

One of the earliest lectures in the MIT Openware programme in Physics begins with the lecture “Units and Dimensional Analysis”. Units of measurement are critical to science, so much so that there is a standard that defines science’s system of units, for example the precise definition of a kilogram -- the SI (Système International d’Unités or International System of Units). The notion of units of measurement in science is extremely important and it therefore seems sensible to consider how this applies to digital forensics.

As we will see, this does not necessarily suggest that there should be standard units of measurement in digital forensics, to report, for example, the position of the start of a file. As will be discussed later in the article, this is not always appropriate, since it is useful to describe such positions in different ways depending on the context. However, this article will discuss that reporting some unit of measurement is essential.

Perhaps it is best to begin with a simple example:

“the text string ‘this is evidence’ was located at position 34556”

Since this important evidential artefact has been located, it seems sensible to check that the artefact is actually there. So, we should examine position 34556... but 34556 what? Bytes, sectors, blocks? Let us assume just for a second that the position is expressed in bytes, but what about the number base? If the position in which the string was identified was 86FC, it would be reasonable to assume that this is a hexadecimal offset. However, in this example we have 34556. This could be decimal or hexadecimal. So in order to precisely identify the position of this string, not only does the unit of measurement need to be expressed, but so too does the number base in which it is expressed.

Furthermore, consider the organisation of a disk...

Read more at http://www.forensicfocus.com/chris-hargreaves

PitchLake - a tar pit for scanners

by Simon Biles

Simon Biles
About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

We’ve had two bank holidays in a row here in the UK – first off for Easter, then for the Royal Wedding – time off work coupled with very pleasant weather and plenty of “refreshments” has caused my brain to atrophy! So, rather than pulling one of my usual type of topics from the hat for this article, I thought that I’d do a mini-project for the month.

[ I’ll apologise up front though – I can only just program in both Perl and C, and C isn’t exactly column friendly, so it’ll be Perl. I know that many readers here can program in Perl, and most of you probably better than me – I’d be interested to hear corrections, tips and tricks in the comments so as to improve, as no doubt there are better ways of doing this ! ]

One of my first tasks in the office this morning, after a cup of coffee of course, was to review my server logs [1]. As of yet I’ve not got enough staff to have a minion to do this for me, but to be honest I’d miss the connection to the real world of computing if I did [2]. I run a Linux server in a datacentre in Birmingham as my company’s main web-server and my high bandwidth, static IP’d pen-test machine. For the last few months I’ve been meaning to do something about the 404 errors (http://en.wikipedia.org/wiki/HTTP_404) that are being reported by Apache – some are my fault for taking pages away that people clearly still cross reference – the others though are clearly the work of automated web vulnerability scanning tools.

Vulnerability scanners (http://en.wikipedia.org/wiki/Vulnerability_scanner) are the bottom end of the pen-test toolkit – they are to penetration testing what the Windows “find” command is to digital forensics; e.g. superficial and basic. There are various types – but of interest today are those that operate on the application layer over HTTP (http://en.wikipedia.org/wiki/ISO_model#Layer_7:_Application_Layer). In the open source market both Nikto (http://www.cirt.net/nikto2) and Nessus (http://www.tenable.com/products/nessus) [ Nessus isn’t open source per se, but is free for home use … ] are examples of products that perform tests against webservers for potentially insecure CGIs and files – the trouble with this is that in order to determine if an insecure CGI script or file is present, the scanner asks Apache for it, and receives a 404 if it isn’t there, each 404 is written to the log, and when Nikto, for example, tests for over 6400 possible vulnerabilities you can imagine what the logs look like ! Sadly, tools like these, as they are available to everyone, are not only used by the kind of people that get written authorisation before testing your web server...

Read more at http://www.forensicfocus.com/simon-biles

Tuesday, March 29, 2011

The End of Digital Forensics?

by Craig Ball

Craig Ball
About the Author

Craig Ball is a Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery.

When Microsoft introduced its Encrypting File System (EFS) in Windows 2000, the Cassandras of computer forensics peppered the listserves with predictions that the days of digital forensics were numbered. Ten years on and hundreds of systems acquired, I’ve yet to handle a case stymied by encryption—and 90% of my acquisitions were corporate machines, many with TPMs and fingerprint readers. Voluntary encryption turned out to be no encryption at all.

The next sky falling threats to forensics were privacy tools and features. “Surely,” our Chicken Littles clucked, “everyone will run free tools that routinely wipe unallocated clusters and securely delete data!” Turns out, they only run the antiforensic tools right before the examiner arrives, and most such tools do a lousy job covering their tracks. Instead, we’ve come to see much more revealing data and metadata created and retained by operating systems. The Windows Registry and all those logs and .dat files are like birthday presents from Bill Gates.

Finally, there are the stormy forecasts about the Cloud. Absent dominion over physical storage media, digital forensics is indeed different. We need credentials to acquire data in the Cloud, and deletion tends to mean really gone. But the silver lining is that the portable devices used to access Cloud data tend to store so much information that they’re proving a cornucopia of case-making information. Are handhelds trickier to acquire? Sure. Are they less revealing? Not on your life!

But lately, one acorn that has fallen on my head and caused me to look warily aloft is the quantum leap in hard drive capacity. I suspect I’ve acquired more aggregate data in the last year than in all of the previous nine years put together. Not more media, mind you, more data. At least more nulls, but we’ve got to read those too, right?

Read more at http://www.forensicfocus.com/craig-ball

Sunday, March 27, 2011

Fragmentation of the digital forensics community

From the forums:

I started in the digital forensics community about five years ago, and I already feel old, and I am a Johnny-come-lately. This post may come off as a “Hey, you kids, get offa my lawn!” rant. Rather than a rant, I really hope that people start talking about a way to find a small number of safe lawns for all the kids to play on.

In those five years I’ve noticed that the computer forensics community has become *less* supportive, not more supportive. This runs contrary to trends to other communities such as software engineering tools, web frameworks, and startups. I have some feelings and thoughts on why this is. I wish I had some good ideas on how to turn this trend around.

I think there are four major problems:

1) Fragmentation of the sites supporting the community.

When I showed up, there was Forensic Focus, the CCE list, and HTCIA. (And other people probably had their three or four sources that don’t overlap with mine.) Now, I’ve got Forensic Focus, CCE, HTCIA, HTCC, DFCB, wn4n6s, and a host of OS and tool specific sites. Then there is LinkedIn, with an almost one to one mapping of all the external groups, plus subgroups, plus additional new groups not represented elsewhere.It seems that everyone wants their own lawn to play on rather than contributing to the health of an existing lawn. How often have you seen a post along the lines of “Hey, I set up a new forensics wiki! Come check it out and help it grow!” Or found yet another computer forensics LinkedIn group?

This leads to two related problems: Where do you post, and where do you go looking for information? I belong to a lot of the mailing lists and use my personal mail archive as a research tool when I have questions, but that doesn’t reach into the various web based forums. And if I want to post a question, where does it go? Some people blast every mailing list they’re on, hoping for an answer. And the more we balkanize, the more likely those questions are to go unanswered.

I still use FF and the CCE list mostly, but then there are items #2 an #3...

Read more at http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=7442

Thursday, March 24, 2011

Evaluating Mobile Telephone Connection Behaviour - Part 2

by Sam Raincock

Sam Raincock from SRC is an IT and telecommunications expert witness specialising in the evaluation of digital evidence. She also provides training and IT security consultancy.
Connection Records

Within the UK, details of past telephone connections are stored by the network providers. The minimum storage is advised by the Data Retention (EC Directive) Regulations [1][2]. However, each network provider is able to disclose different types of information about past connection activity and this availability also changes over time. As a result, it is important to be familiar with what connection record information may be available to your case so you can make appropriate requests to obtain access to it. Perhaps a useful strategy for companies undertaking connection record evaluation work would be to compile a procedure where your organisation will contact the network providers every 6 months to determine if anything has changed.

It is also important to note that the network providers will provide a ‘standard’ format of connection records if they are not directed regarding the information you require. My philosophy with network records is that if you don’t ask, you won’t get it!

Examining Connection Records

Most often the instructions received in connection charting matters are to compile charts of connection patterns of the telephones of interest in a case. This is generally over a certain time period and may also include a frequency analysis to determine how many connections have occurred with particularly numbers of interest. It may (especially in defence cases) also include questions about the meaning of connections and the possible circumstances of the calls/SMS messages.

Where connection records specialists are lucky, they are provided with the records in electronic format. Where they are ill-fated they obtain a file of 500+ pages in paper format and the electronic records are unavailable (very common in older cases).

With paper records, you have two options: transfer the records into electronic format (however, you are going to have to thoroughly validate that this has occurred correctly) or you will need to examine them by eye. Actually, dealing with paper connection records is a lot easier than it sounds as you become used to looking for patterns over time.

With electronic records, if you are using pivot tables to assist you in performing a frequency analysis of the connection behaviour to establish how many connections have been made with certain telephone number of interest, remember that a telephone number may be provided in the records in various formats. For example, 07777 111111 may also be provided as 447777 111111.

Also with electronic records – make sure you don’t suffer from sorting issues. Firstly, if you haven’t set your data to be the correct type (which can be an annoying activity in itself), sorting can produce unexpected results. And of course, there is also the old Excel sorting problem where you sort by column and don’t expand the selection to the other data values too, resulting in shuffling your original connection records table.

Although all these points may seem very basic, in my experience mistakes do occur in this type of processing. Another area for error is overlooking the obvious – the date being in the wrong format or the wrong number is searched for etc. Hence, the key when performing connection charting/analysis is to validate, validate, validate and assume nothing...

Read more at http://www.forensicfocus.com/sam-raincock

Tuesday, March 22, 2011

Biles’ Hierarchy of Disaster Recovery Needs

by Simon Biles

Having failed to keep up with my New Year’s resolution of being more organised (the observant of you might have noticed the absence of a February column), it’s nice to be able to move into a new season – spring is with us and in the UK at least, that seems to mean a return to below freezing nights and having to defrost my car each morning. Roll on global warming I say! It never ceases to amaze me how quickly the UK grinds to a halt when we have a little inclement weather, you’d think that we’d be used to it by now – but over December I had the absolute pleasure of being stuck in Edinburgh because there was the wrong amount of snow on the runway or something like that. Luckily, we had contingency plans in place and, after 48 hours we were back at home in Oxfordshire. We were certainly fortunate - we passed hundreds of people in the airport who weren’t going anywhere and had no other option but to wait it out. In vast contrast, in the Middle East over the last few months, not only has the weather been hot, but so has the political climate, and I have been amazed by the speed with which the ruling governments have acted to cut off the internet.

The tenuous link? Business Continuity Planning and Disaster Recovery Planning. It doesn’t take long if you watch the IT News before you come across a good example of bad BCP/DRP – my favourite this month was Vodafone but this is just a retelling of an old story. The fact that a major organisation (a) had a single point of failure in the first place and (b) couldn’t fail it over to another, backup site immediately is more than a little embarrassing. Vodafone are in quite a privileged position though, whilst their outage is clearly damaging to their image, in real terms, their clients are tied into long term contracts, it was one day out of service out of a year, and their clients' capability to demonstrate their own BC/DR plans (e.g. use a landline) mean that they are unlikely to lose much business from the mistake. For a smaller outfit however, the loss of even one component (like your laptop or examination machine) could cripple you for days and potentially lose you significant business. I, personally, suffered a hard disk failure on my MacBook Pro (under Apple Care, but not a quick fix – two weeks) and although I had full backups of everything to within 24 hours, I had to go and source a temporary machine to restore them to in order to carry on working. In fact, in light of the fact that I _didn’t_ have a BCP/DRP, I bought a second, smaller & cheaper, laptop that I could bring into play should the main one fail again.

Before I go on, I should clarify that there is a difference between BCP and DRP – one (BCP) tends to be used for aspects of failure, such as a hard-disk failing, the other (DRP) is in the case of catastrophic events, such as your building burning down. In my experience most people don’t have adequate of either, however there is a lot of common material between the two, and I’m going to continue this article from more of a DRP perspective...

Read more at http://www.forensicfocus.com/simon-biles

Monday, February 28, 2011

Geotags: Friend or Foe?

by David Benford
Director, Blackstage Forensics

David Benford
David Benford
I recently wrote a research paper, “Geotag Data: The Modification of Evidence on the Apple iPhone”, based around the possibility of modifying geotag evidence on the Apple iPhone. A test was performed as part of this project, to find out how easy it is to discover a person’s home location, social and business movements and background information.

The process was begun by doing a Google Image search for the criteria “Blog iPhone self taken”. This was to trace an image taken by an iPhone for a personal blog, which would hopefully be of the user, hence “self taken”. In Google “Advanced Image Search” some changes were made, such as “Tall Image” and “JPG” file type being ticked; the theory being that most iPhone images are of portrait type and JPG format. An image appeared that seemed suitable of a woman photographing herself at the hairdresser's. The image was saved and opened in TAGView which showed the location of the shop to be in a specific street in Oregon. As there is only one hairdresser listed in this street the process of selecting the correct business was straightforward. The image linked through to the woman’s blog and by doing a search, several more images taken on her iPhone were found complete with geotag data. The woman had taken a photograph of a magazine, mentioning that she was reading it at the dentist’s surgery. The surgery could be located within a minute and was found to be around the corner from the hairdresser’s shop. There was an image of a cake, along with its geotag pointing to Walmart. There was an image of her foot, taken in her kitchen, and the geotag gave an approximate location of where she lived. Images on the blog that were taken on her drive had no geotags. With an approximate idea of her home address, these could be used to pinpoint the exact property by viewing Google Street View. There were also non-tagged images of her family, giving further personal information. In the side margin of the blog there was a link to her Twitter page. Twitter displayed her actual name, where she was at any time and gave an even more detailed pattern of her movements, social life, family’s sports and hobbies, dining out preferences and so on. All of this information was derived from the source of just one geotag within a JPG image. This woman was potentially not only putting herself at risk, but also her family...

Read more at http://www.forensicfocus.com/geotags-friend-or-foe

Thursday, February 24, 2011

Computer forensics to die out by 2020

Somewhat contrary to expectations, I was interested to see that a search for "computer forensics" using Google's Insights for Search tool would appear to suggest that global interest in the field will fizzle out completely by 2020 or thereabouts (my screen wasn't quite wide enough to do an exact calculation):

Make hay while the sun shines, boys, the end is nigh!

Is the NTSB a model for incident response?

by Sean McLinden

Recently, the events surrounding the defacement of the HBGary Web site and publication of sensitive data were being bantered about on a number of forensic, security and incident response sites. As is typical for these kind of high profile events, some of those voicing opinions were not in the know while those who actually knew something were being silent.

In my experience this is commonly the case. High profile events can damage the reputation of individuals and companies and in many cases the truth, coming from those in the know, is more damaging than speculation from those in the bleachers. Counsel for the proximate "victims" often advise their clients to say nothing, reasoning that any official comment could be construed as an admission, whereas the speculation of others can be labeled as just that.

The following, alleged, accounting of the HBGary incident, while tinged with mildly satirical comments is, nonetheless, one of the most thought-provoking, if not accurate, descriptions of the surrounding events. It can be found here:


and it got me thinking.

Many years ago, I had a horrific experience at Chicago O'Hare International Airport when, while looking out the window of the concourse, I witnessed American Airlines DC-10 Flight 191 take off, roll to the left, and plunge to the ground along with 258 passengers and 13 crew. There is something unnerving about air crashes though they kill far far less than automobile accidents and, I suspect, part of the reason why is that they often lack a reasonable explanation when they happen.

But one difference between airplane accidents and digital incident investigations is that the former is a public process and a process by which we learn what failed, and why. And American Airlines Flight 191, like the account described in the link above, is a perfect example of what is to be learned through a public process...

Read more at http://www.forensicfocus.com/sean-mclinden

Friday, January 28, 2011

Interview with Ben Findlay, North Yorkshire Police Hi Tech Crime Unit

"Many people are familiar with the concept and importance of validating and verifying (V&V) results (and the difference between the two), but it would be fantastic if this could be engineered into the software (perhaps through some form of fundamentals or 'first-principles' methodology). I doubt whether V&V can ever be made truly redundant by formal specifications, but the process could certainly be made far easier..."

More here

"I'm here! Now what?"

by Ken Pryor

"Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?"

More here

Challenges of Smart Phone Forensics

by Rob Adams

"Mobile devices have become an essential component of our daily lives. These devices keep us connected and act as so much more than the cell phones and portable music players of the 1990's. It is common today for a smartphone to act as a mobile office, social tool, and an entertainment center all rolled into one. Many households have one or two computers shared by the inhabitants, but almost everyone over 16 has a cell phone and, since the device is tied more closely to the user, the data is also..."

More here

Tuesday, January 25, 2011

Test Images and Forensic Challenges

A list of sample images and forensic challenges is now available at:


Additions are encouraged and may either be sent through the feedback form or added to this forum topic. Thank you to those who helped compile the current list.

Wednesday, January 19, 2011

Evaluating Mobile Telephone Connection Behaviour - Part 1

by Sam Raincock

Examining Mobile Equipment – Ensuring Accuracy

In general, all modern mobile telephones contain call information and SMS message storage which may be used as evidence. There may also be a wealth of other evidence available including browser history, sat nav usage etc. However, for the purposes of this article I am interested in discussing the accuracy and evaluation of telephone connection behaviour and hence I shall concentrate only on these two important sources of evidence.

There are various types of examinations conducted on mobile telephones to extract the call information and SMS messages (collectively I shall refer to these as connection information). The examination of a SIM card is a fairly ‘trivial’ process with a well-defined extraction procedure. However, handset examinations may be much trickier. For standard handset examinations (those that generally only extract the information live on the handset) there is no one product that can extract all of the connection information available for all handsets. Hence, when examining handsets, it is important as a first step to ensure the accuracy of the evidence you are presenting.

When presenting your evidence it may be worthwhile considering the measures you implement to be able to ascertain both the accuracy and meaning of information you present to ascertain that:

1. The extracted information is accurate and correctly attributed. For example, that a reported SMS message has the correct content and is appropriately stated as a sent, draft or a received SMS message.

2. The information is complete and where it is not, the omissions are known (and clearly declared in the report) or manually obtained.

3. The information is unambiguously reported.

These may sound like obvious points, however, in my experience sometimes failures are found in all three areas which then lead to issues when the evidence is used to ascertain the connection behaviour of a telephone. As a mobile telephone examiner, it is important to establish appropriate procedures and to report the limitations of the data you are presenting otherwise at a later stage they may be open to misinterpretation. Omissions are particularly important since information such as duration of calls and times of calls may become crucial to resolving what occurred so it is important to make your reader aware what information may be present but remains unextracted...

Read more at http://www.forensicfocus.com/sam-raincock