Tuesday, May 24, 2011

Scott Moulton’s “5-Day Data Recovery Expert Certification” Course

reviewed by by Karlo Arozqueta


Just about every individual who is immersed in the Information Technology field has either personally experienced it, or knows someone who has: The hard drive “click of death”. For most, this sound is the start of a downward spiral of doom and depression and eventually a large bill from a data recovery company. For some, however, this is the beginning of a new field of interest in technology. There is only one problem: The field of hard drive data recovery is one that is still shrouded in secrecy and misinformation. How can someone break into an industry where advice is doled out in hushed tones and newcomers are shunned and told to seek professional (read:$$$) help?

Scott Moulton has been trying to change that, and is one of the few individuals teaching a vendor-neutral data recovery class to the public. I attended one of Scott’s 5 day training classes in 2009, and have kept up with him as the course has grown. In an effort to assist other individuals in deciding if this course is worth taking, I opted to write this review. Please note that while my personal attendance of the course was in 2009, I routinely volunteer to assist in these courses (for free) when they come to my geographic area of Washington DC, so this information is current as of May of 2011. Also, while the term “hard drive” has now become the catch-all term, the course material covers recovery of both traditional mechanical hard drives and touches on the latest recovery technologies for flash based devices like USB thumb drives and Solid-State Drives (SSD).

This class is appropriate for any individuals who have a solid understanding of computer forensics and filesystems and want to take their knowledge to the next level in terms of understanding exactly how data is stored on the drive, how the device works, and how it can be recovered when conventional imaging techniques fail. This was my primary reason for attending the course. The class is also appropriate for any individual who wants to approach data recovery as a means to expand their computer-support business and wants to add DR (data recovery) as an additional service...

Read more at http://www.forensicfocus.com/scott-moulton-data-recovery-review-200511

Standard Units in Digital Forensics

by Chris Hargreaves

Chris Hargreaves
About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

One of the earliest lectures in the MIT Openware programme in Physics begins with the lecture “Units and Dimensional Analysis”. Units of measurement are critical to science, so much so that there is a standard that defines science’s system of units, for example the precise definition of a kilogram -- the SI (Système International d’Unités or International System of Units). The notion of units of measurement in science is extremely important and it therefore seems sensible to consider how this applies to digital forensics.

As we will see, this does not necessarily suggest that there should be standard units of measurement in digital forensics, to report, for example, the position of the start of a file. As will be discussed later in the article, this is not always appropriate, since it is useful to describe such positions in different ways depending on the context. However, this article will discuss that reporting some unit of measurement is essential.

Perhaps it is best to begin with a simple example:

“the text string ‘this is evidence’ was located at position 34556”

Since this important evidential artefact has been located, it seems sensible to check that the artefact is actually there. So, we should examine position 34556... but 34556 what? Bytes, sectors, blocks? Let us assume just for a second that the position is expressed in bytes, but what about the number base? If the position in which the string was identified was 86FC, it would be reasonable to assume that this is a hexadecimal offset. However, in this example we have 34556. This could be decimal or hexadecimal. So in order to precisely identify the position of this string, not only does the unit of measurement need to be expressed, but so too does the number base in which it is expressed.

Furthermore, consider the organisation of a disk...

Read more at http://www.forensicfocus.com/chris-hargreaves

PitchLake - a tar pit for scanners

by Simon Biles

Simon Biles
About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

We’ve had two bank holidays in a row here in the UK – first off for Easter, then for the Royal Wedding – time off work coupled with very pleasant weather and plenty of “refreshments” has caused my brain to atrophy! So, rather than pulling one of my usual type of topics from the hat for this article, I thought that I’d do a mini-project for the month.

[ I’ll apologise up front though – I can only just program in both Perl and C, and C isn’t exactly column friendly, so it’ll be Perl. I know that many readers here can program in Perl, and most of you probably better than me – I’d be interested to hear corrections, tips and tricks in the comments so as to improve, as no doubt there are better ways of doing this ! ]

One of my first tasks in the office this morning, after a cup of coffee of course, was to review my server logs [1]. As of yet I’ve not got enough staff to have a minion to do this for me, but to be honest I’d miss the connection to the real world of computing if I did [2]. I run a Linux server in a datacentre in Birmingham as my company’s main web-server and my high bandwidth, static IP’d pen-test machine. For the last few months I’ve been meaning to do something about the 404 errors (http://en.wikipedia.org/wiki/HTTP_404) that are being reported by Apache – some are my fault for taking pages away that people clearly still cross reference – the others though are clearly the work of automated web vulnerability scanning tools.

Vulnerability scanners (http://en.wikipedia.org/wiki/Vulnerability_scanner) are the bottom end of the pen-test toolkit – they are to penetration testing what the Windows “find” command is to digital forensics; e.g. superficial and basic. There are various types – but of interest today are those that operate on the application layer over HTTP (http://en.wikipedia.org/wiki/ISO_model#Layer_7:_Application_Layer). In the open source market both Nikto (http://www.cirt.net/nikto2) and Nessus (http://www.tenable.com/products/nessus) [ Nessus isn’t open source per se, but is free for home use … ] are examples of products that perform tests against webservers for potentially insecure CGIs and files – the trouble with this is that in order to determine if an insecure CGI script or file is present, the scanner asks Apache for it, and receives a 404 if it isn’t there, each 404 is written to the log, and when Nikto, for example, tests for over 6400 possible vulnerabilities you can imagine what the logs look like ! Sadly, tools like these, as they are available to everyone, are not only used by the kind of people that get written authorisation before testing your web server...

Read more at http://www.forensicfocus.com/simon-biles