Friday, November 30, 2012

Interview with Eddie Sheehy, CEO, Nuix

Eddie, can you tell us something about your background and your current role as CEO of Nuix?

I joined Nuix as CEO in 2006 after working for quite a few high-growth finance and technology businesses. What I loved about Nuix was the precise detail the software could expose about the information it indexed. Having that degree of detail at scale could make a huge difference to the way an investigation played out.

After about a year with Nuix, it became clear to me we couldn’t take on Access Data and Guidance directly –they owned the forensic investigation market. So we expanded into eDiscovery, and later information governance, as a way of growing the business. In 2011, having reached a more tenable scale, we decided to go back into investigations. That has been one of the most satisfying aspects of my time at Nuix.

What products and solutions does Nuix offer?

Nuix offers products and solutions for forensic investigation, eDiscovery and information governance. There’s a fair amount of overlap between those categories, for instance our Enterprise Collection Center technology for gathering evidence in the field is used by investigators and for eDiscovery and our processing engine underpins all three verticals.

Indeed, at the heart of these products is our patent pending unstructured data indexing engine. The Nuix engine has unique load balancing, fault tolerance and intelligent processing technologies that enable it to process huge volumes of unstructured data at high speed and with forensic certainty...

Read more

Wednesday, November 14, 2012

Interview with Jonathan Krause, Managing Director, First Response

Jonathan, we last interviewed you back in 2008, what have you been doing since then?

In early 2008 I started Forensic Control after four years as a computer forensic employee. It began as a vehicle for my contract work but soon developed into a business in its own right, becoming relatively well known – albeit within the fairly small world of computer forensics! I moved further and further away from my roots in public sector work, and found myself really enjoying the faster pace and challenges in the corporate world; there was no going back for me. During this time I was fortunate enough to work on some very interesting cases including the Deepwater Horizon oil spill and the estate of Elvis Presley.

You recently became the Managing Director of First Response. Tell us more about the company and your involvement.

First Response was set up in January 2012, and at present is being run alongside Forensic Control. There are three joint owners of the company; myself, John Douglas and Bill Lindley. John (the Operations Director), Bill (the Chairman) and I bring together over 30 years’ experience of working in the industry. We decided to bring the forensic operations of our separate companies under one roof which was a natural progression for each of our companies. We think we complement each other very well! There’s some more background on First Response in the recent Forensic Focus news item.

I’ve known Bill and John professionally and socially for years; as well as offering what we believe is a first-class service, we enjoy our work and enjoy working with each other – for me, this is of fundamental importance.

In terms of my involvement, I’m a typical managing director/CEO though with a very much hands-on role. You’re as likely to find me imaging an unusual server configuration, analysing the content and reporting back to the client as much as dealing with the behind scenes management.

Can you give us some recent examples of cases First Response has worked on?

Sure. I think First Response’s main strength is in having both a great technical depth and an ability to communicate complex matters in a way that an average lawyer or director can easily understand and then act on. This helps our clients tremendously as it did in the two examples of cases I'll outline...

Read more

Thursday, November 01, 2012

Webinar (online now): Pitfalls of Interpreting Forensic Artifacts in the Windows Registry

The webinar "Pitfalls of Interpreting Forensic Artifacts in the Windows Registry" is now online here.

If you encounter any difficulties viewing the above page, the webinar is also available on YouTube here.

In this webinar, Jacky Fox, student at UCD School of Computer Science and Informatics, presents the results of her dissertation on Windows Registry reporting. Jacky will be available in this forum thread for about an hour to answer any questions.

Tuesday, October 30, 2012

Guidance Software Releases EnCase® Forensic v7.05

Guidance Software Inc. has announced the release of EnCase® Forensic version 7.05. This latest version of the industry-standard forensics software features key enhancements that enable investigators to work with data sets earlier and faster in order to both begin and close cases faster than ever before. Speed enhancements in the EnCase Forensic v7.05 evidence processor have reduced significantly the processing time for both small and large data sets. Digital investigators can now rapidly process evidence files of virtually unlimited size, dramatically reducing case backlogs. With EnCase Forensic v7.05, investigators can uncover evidence up to nine times faster than previous versions using the greatly enhanced evidence processor...

EnCase Forensic v7.05 also improves investigative efficiency by automating common investigation tasks and significantly reducing manual efforts. Prioritized processing lets users process an early subset of evidence and make it available more quickly for analysis by investigators. They can also choose to continue or to stop processing remaining evidence. Enhancements to the analytic capabilities of the product’s built-in Case Analyzer offer forensic examiners deeper insight into computer systems through higher-level reports on metadata and the ability to compare potentially related artifacts side-by-side. Examiners can establish hyperlinks to original documents and images within reports. In addition, the results of a keyword search can be viewed and analyzed while that search is ongoing...

Read more

Monday, October 29, 2012

Webinar: Pitfalls of Interpreting Forensic Artifacts in the Windows Registry

In this webinar, Jacky Fox, student at UCD School of Computer Science and Informatics, presents the results of her dissertation on Windows Registry reporting - focusing on automating correlation and interpretation. After the webinar Jacky will be available in the Forensic Focus webinars forum to answer any questions.

Date: Thursday, November 1st 2012
Time: 12PM (midday) EDT US / 4PM GMT UK / 5PM CET Europe
Duration: 20 mins

There is no need to register for this webinar, simply visit at the above time (the webinar has been pre-recorded and will be archived for viewing later if you are unable to attend)

Tuesday, October 09, 2012

Interview with Lindy Sheppard, F3 (First Forensic Forum) Secretary

Lindy, tell us something about the cases you have been involved in.

I have been involved in quite a variety of cases, from counter terrorism to the importation of drugs, fraud, missing children and sadly, far too often, the abuse of children. Working alongside Tony Sammes has meant that I have been involved in many high profile and often ground breaking cases. It has always been good to see the outcome of a trial in the news and feel a sense of satisfaction at a job well done. Although not working on the technical side of the industry I have been the link between Tony and the case officer and/or OIC in far more cases than I can number - I do know that I have handled well in excess of 600 exhibits...

Read more

Thursday, September 13, 2012

Interview with Philip Anderson, Senior Lecturer at Northumbria University

Philip, can you tell us something about your background and why you decided to teach digital forensics?

I graduated from Northumbria University with a BSc (Hons) in Business Information Technology in 1997 and gained an MSc in Distance Education with Athabasca University, Canada by distance learning in 2008.

After I graduated I started working at Northumbria University in a number of different IT Support/Developer roles for different departments within Northumbria University before becoming a Lecturer in 2001. I started teaching programming and also web design and development modules. It was in 2004 and 2005 alongside colleagues that we developed the undergraduate Computer Forensic degree. Once validated and in its first year I naturally changed to teach computer forensic modules (and more) as the degree progressed.

I have over seven years’ extensive teaching experience involving Guidance Software (i.e. EnCase) in taught computer forensic modules. I have also successfully worked in the field, on a number of different forensic examinations of digital media for external clients, involving examination, analysis and production of extensive reports.

I was appointed a European Network and Information Security Agency (ENISA) expert in 2010 for two years for identifying emerging and future ICT risks in the area of Information Security Risk Assessment and Management. I also served as a Special Constable with Durham Constabulary for over 14 years.

For me, the reason I chose and enjoy teaching digital forensics is my computing background and the application of that knowledge in conjunction with strong investigative skills...

Read more

Wednesday, August 29, 2012

Windows 8 Forensics webinar - alternative URL

Sincere apologies to anyone having difficulty connecting to the Meetingburner service to view the Windows 8 Forensics presentation - please try the following URL on YouTube instead:

Josh is available in the webinars forum to answer any questions. Please go here if you would like to join in the discussion.

Additionally, a PDF with slides from the presentation can be downloaded here.

I will get these gremlins out of the system soon, I promise!


Tuesday, August 28, 2012

JADsoftware - The Company Behind IEF - Re-Launches As Magnet Forensics Inc.

JADsoftware, the company behind the industry-leading digital forensics product Internet Evidence Finder (IEF), announced on Monday that they have re-launched the company under a new name - Magnet Forensics Inc.

“A lot has changed since I launched JADsoftware and first developed IEF while working as a police officer and forensic examiner,” said Jad Saliba, Founder and Chief Technology officer of Magnet Forensics.

“After a couple years juggling both jobs, I realized that IEF had tremendous potential to help forensics professionals perform better investigations, so I decided to dedicate myself to developing the software full-time,” Saliba explained. “We now have a team of talented individuals who are working around the clock to take IEF to the next level. The time felt right to transition to a name that better reflects what we do, which is help our customers get to key Internet evidence as quickly and easily as possible, among a proliferation of online data.”

Read more

Monday, August 27, 2012

Computer Analysts and Experts – Making the Most of GPS Evidence

by Professor David Last

The many companies that sell software for computer forensics have developed products for analysing satellite navigators. Police high tech crime units and independent laboratories now use this software on an industrial scale. Computer technicians conduct the analyses. This is home territory for them, since the biggest component of a vehicle satellite navigator is a computer, often running the Linux operating system, and with access via a USB connection or an SD card. The analysis software extracts addresses which it plots using tools such as Google Maps. Specialists extract similar data from satnavs built into vehicles.

But many investigating officers find the results disappointing: “it’s just a list of addresses!” Unlike CCTV, ANPR and witness evidence, there are rarely times or dates to fit into a chronology. And anyway, the addresses are simply destinations for planning routes. The defence will point out that no-one can say who entered them, or at what time on what date, or whether a route was planned to them, or whether the satnav ever went there, let alone in a specific vehicle driven by a their client!

Another problem is that the investigating officer may simply not be able to understand the data provided. What are all these addresses? Were they recorded by the device itself or input by a user? Was that inputting an intentional action? The sense of frustration is enhanced by the quality of reports generated by much commercial software. The best packages provide at least some explanation of the data they contain, the worst none at all. The technicians who conduct the analyses often have neither the time nor the training to help. This leaves the officer with the prospect of presenting and defending poorly understood data in court. Some just give up!

But the addresses may at least have intelligence value...

Read more

Friday, August 24, 2012

Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images

When the authors first published this paper, their intentions were to develop a comprehensive guide to digital forensic timelines in order to consolidate the many fragmented sources of information concerning this topic.  What they discovered, however, was that quality references were often challenging to find among various books, papers, periodicals, filesystem specifications and source code.

While conducting their research, they found that practical tool-based solutions existed for generating digital forensic timelines, though they each had specific limitations.  Thus, efforts were undertaken by the authors to provide an alternative timeline generation framework.  Although some in the community had already proposed the use and generation of supertimelines, all too often important data sources were being left out.  In order to rectify this, it became necessary to couple additional tools in order to provide maximum evidentiary extraction...

Read more

Wednesday, August 22, 2012

Webinar: Windows 8 Forensics - A First Look

Take a first look at Windows 8 forensics in a webinar presented by Josh Brunty, Assistant Professor of Digital Forensics at Marshall University. Learn about the changes in Windows 8 which forensic examiners should be aware of before this new OS is released to the public in October. After the webinar Josh will be available in the Forensic Focus forums to answer any questions.

Date: Wednesday, August 29 2012
Time: 11AM EDT US / 4PM BST UK / 15:00 GMT
Duration: 35 mins

Register today at

Please share this invitation with any friends or colleagues who might also be interested, thank you.

Friday, August 17, 2012

Apple phones are AES-tough, says forensics expert

Monday's Technology Review carries a glowing tribute to Apple iPhone security according to its author, Simson Garfinkel, a contributing editor who works in computer forensics and is highly regarded as a leader in digital forensics. He says Apple has passed a threshold “Today the Apple iPhone 4S and iPad 3 are trustworthy mobile computing systems that can be used for mobile payments, e-commerce, and the delivery of high-quality paid programming,” thanks to Apple’s heavy investment in iPhone security. That is where “threshold” comes in. Apple has crossed it. Even law enforcement cannot perform forensic examinations of Apple devices seized from criminals, he said...

Read more (

Thursday, August 16, 2012

Researchers Show How to Crack Android Encryption

As forensic examiners, some of the last things we want to hear are "encryption" and "enabled" in the same sentence, however that's what has been happening with the current line of Android devices. Starting with Android 3.0, devices have been shipping with the ability for the user to enable full device encryption. Fortunately for the forensic community, there are individuals steadfast to find a way to break that encryption - and have already proven how to do so. Two such researchers - Thomas Cannon and Seyton Bradford - have demonstrated successful brute force attacks against Android encryption. Thomas detailed their findings at DEF CON 2012 in his presentation "Into the Droid - Gaining Access to User Data"...

He discusses that the encryption uses standard Linux dm-crypt, incorporated in Android devices running version 3.0 and newer, and uses the same password to encrypt and decrypt data as is used to unlock or log in to the device. So while the encryption is generally considered strong, users default to using short or easy-to-type passwords and pins to protect their device and enable the encryption...

Read more

Friday, August 10, 2012

Forensic Examination of FrostWire version 5

As digital forensic practitioners, we are faced regularly with users utilizing the internet to swop and download copyrighted and contraband material. Peer to peer (P2P) applications are commonly used for this purpose, and like any software application, they are ever changing and ever evolving. This paper will discuss how the P2P software application, FrostWire v.5, functions and what artifacts can be found and examined for forensic purposes. The software application mentioned is one of the more popular P2P applications...

Read more

Wednesday, August 01, 2012

Book Review: Mastering Windows Network Forensics & Investigations

by Chad Tilbury

Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources.  The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics.  I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly.  That said, the topics covered do not fit within the classical definition of network forensics.  A more apt title might be Mastering Incident Response Forensics and Investigations.

This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing.  The authors blended dense material with relevant examples and insightful and engaging text boxes.  Some of my favorite “side” topics were:
  • “Cross-platform Forensic Artifacts”
  • “Registry Research”, illustrating the use of Procmon for application footprinting
  • “Time is of the Essence”, explaining fast forensics using event logs and the registry
The book begins with four chapters familiarizing the reader with Windows networking.  While this may slow down those hungry for forensics topics, they are replete with information.  Windows domains, hacking methodology, and Windows credentials are all described in these early chapters.  Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise.  While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks.  It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts...

Read more

Thursday, July 26, 2012

Introduction to Penetration Testing – Part 3a – Active Reconnaissance

by Si Biles, Thinking Security

Apologies in advance, this is a bit of a connective blog entry – this is a big topic, and it needs some scene setting, basic understanding and several weeks worth to get the most out of it.

We live in a connected world now – my other half was showing me a washing machine with a WiFi connection and an associated iPhone App that would allow you remote control of and reporting about your intimate garments spin cycle ! I wonder if that is really necessary to be honest, as even if it has finished, knowing that while I’m in the office and the washing machine is at home is a complete waste of electrons.

The network, and the connected nature of things is what allows us as penetration testers to attempt to compromise the security of a company without going anywhere near it. There are other aspects to full scale penetration testing as I’ve alluded to before – with social engineering and physical attack ( lock picking, not baseball bat ) parts of such a scope – but a majority of the work is computer and network based.

To that end, a good understanding and working knowledge of networking is pretty much a job pre-requisite. So, rather than giving you a lesson myself, I’ll give you a quick and dirty set of online references – this won’t make you an expert by any stretch of the imagination, but hopefully it will get us through the rest of this section without too much head scratching.1
I would apologise for the laziness on my part, however I subscribe to Larry Wall’s school of thought that it is a virtue – if someone else has done it well enough already, why spend time re-inventing the wheel. The corollary of that is, if you find that there isn’t a good explanation of something in that set that you’d like to understand better – add a comment on the bottom of this post and we’ll bring it up to scratch ( perhaps both here and at Wikipedia ;-) ).

So seing as you all now fully understand TCP/IP packet structure and know your URG from your SYN …

Read more

Tuesday, July 24, 2012

Authenticating Internet Web Pages as Evidence: a New Approach

By John Patzakis [1] and Brent Botta [2]

Previously, in Forensic Focus, we addressed the issue of evidentiary authentication of social media data (see previous entries here and here). General Internet site data available through standard web browsing, instead of social media data provided by APIs or user credentials, presents slightly different but just as compelling challenges, which are outlined below. To help address these unique challenges, we are introducing and outlining a specified technical process to authenticate collected “live” web pages for investigative and judicial purposes.[3] We are not asserting that this process must be adopted as a universal standard and recognize that there may be other valid means authenticate website evidence. However, we believe that the technical protocols outlined below can be a very effective means to properly authenticate and verify evidence collected from websites while at the same time facilitating an automated and scalable digital investigation workflow.

Legal Authentication Requirements

The Internet provides torrential amounts of evidence potentially relevant to litigation matters, with courts routinely facing proffers of data preserved from various websites. This evidence must be authenticated in all cases, and the authentication standard is no different for website data or chat room evidence than for any other. Under US Federal Rule of Evidence 901(a), “The requirement of authentication … is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” United States v. Simpson, 152 F.3d 1241, 1249 (10th Cir. 1998).

Ideally, a proponent of the evidence can rely on uncontroverted direct testimony from the creator of the web page in question. In many cases, however, that option is not available. In such situations, the testimony of the viewer/collector of the Internet evidence “in combination with circumstantial indicia of authenticity (such as the dates and web addresses), would support a finding” that the website documents are what the proponent asserts. Perfect 10, Inc. v. Cybernet Ventures, Inc. (C.D.Cal.2002) 213 F.Supp.2d 1146, 1154. (emphasis added) (See also, Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, 546 (D.Md. May 4, 2007) (citing Perfect 10, and referencing MD5 hash values as an additional element of potential “circumstantial indicia” for authentication of electronic evidence)...

Read more

Thursday, July 19, 2012

"Finding Evidence in an Online World" webinar recording and PDF now available

A recording of this week's webinar "Finding Evidence in an Online World - Trends and Challenges in Digital Forensics" is now available here and on YouTube here.

Sincere thanks to Jad Saliba for agreeing to re-record the presentation yesterday as a result of the audio issues we experienced during the live version. Also, a number of people requested a PDF version of the slides and Jad has kindly made that available here.

A free trial of IEF (the software used in the presentation) is available at and for details of a 10% discount available until August 1st 2012 please contact

Saturday, July 14, 2012

Retrieving Digital Evidence: Methods, Techniques and Issues

by Yuri Gubanov
Belkasoft Ltd.

This article describes the various types of digital forensic evidence available on users’ PC and laptop computers, and discusses methods of retrieving such evidence.

A recent research conducted by Berkeley scientists concluded that up to 93% of all information never leaves the digital domain. This means that the majority of information is being created, modified and consumed entirely in digital form. Most spreadsheets and databases never make it on paper, and most digital snapshots never get printed. There are many activities such as chats and social networking that are specific to digital and are even unimaginable outside of the virtual realm.

Most such activities leave definite traces, allowing investigators to obtain essential evidence, solve criminal cases and prevent crimes. This article discusses the many types of digital evidence produced by a typical computer user, criminal or not, and demonstrates methods and techniques available to extract that evidence out of the original PC and into the hands of a forensic investigator...

Read more

Friday, July 13, 2012

Parallels hard drive image converting for analysis

by zoltanszabodfw

The other day, talking to one of the analysts in Dallas, a question emerged about analyzing Parallels’ virtual machine hard drives.  To my surprise, I did not find many help on this issue on-line and did not find tools that would interpret the file system in Parallels’ hard drive images.  The simplest way I wanted to approach this issue is by converting the hard drive image to something simpler like a dd image.  I found a very nice article on how to convert to a plain hard drive image using Parallels Image Tool that comes with Parallels Desktop(, but I had no access to a Mac and wanted to see if there is a way to do this on Windows.  There was VMware vCenter Converter ( free software – ), but it did not by giving a message the it could not recognized it.  I also found an interesting tool MakeVM – that looked very promising, but the demo version would not convert an image size larger than 2GB.  So, I wanted to look further into other options.  This article is about the findings of that “journey”.

Parallels Workstation comes with a few command line tools for basic drive manipulation like prl_disk_tool or prl_conver, but the best converter, I found, is the latest Open Source project QEMU. -

One of the utilities in QEMU is qemu-img where the help file reveals the value of this simple utility, when it comes to converting image types.  The latest version just added the parallels’ image format support.  “Supported formats: blkdebug blkverify bochs cloop cow dmg nbd parallels qcow qco w2 qed host_device file raw sheepdog vdi vmdk vpc vvfat”
Step 1. I have downloaded Parallels Workstation trail version to create a virtual machine for testing and to make sure my findings will be applicable to the latest version of Parallels.

Parallels Workstation Build 6.0.13976
( Revision 769982; June 8, 2012 )

Step 2. Created a virtual machine ( Windows 2008 Server ) with a 20GB hard drive.
Step 3. Used qemu-img utility to convert the image into a raw image
qemu-img.exe convert -f parallels -O raw “Windows Server 2008-0.hdd.copy.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds” f:\temp\otput.dd
Step 4. Opened the image in FTK Imager to analyze the data

Parallels converted hard drive image in FTK Imager

Wednesday, July 11, 2012

Introduction to Penetration Testing – Part 2 – The Discovery Phase – Passive Reconnaissance

by Si Biles ( @si_biles ), consultant for Thinking Security

PenTest, like forensics, is almost as much an art as it is a science – you can only be taught so far, technical techniques and tools are all very well, but you really need a mind that can think sideways and approach a task from as many angles as possible. The ex-LE forensicators have this skill in spades – the data that is potentially available during an investigation includes interviews, statements, crime scene photos and all matter of collected evidence – in the commercial world there is less available, but still I’m confident that you’ll all have your sources. PenTest is much the same, the more that we can know about a potential target before we even fire up NMap1, the further we will get.

The title of this segment is “Passive Reconnaissance” – that’s not to say that you don’t have to do anything during this phase and that it all comes to you – it’s about obtaining information which is already in the public domain – not necessarily deliberately – and is related to the target.2

There isn’t really anything, at this stage, that we aren’t interested in – collect all the information you can – we can whittle it down to pertinent facts as we go along3.

Right then – where to start ? Well, let’s start to build a picture of our target. Let’s have a look at their domain:

si$ whois
Domain name:
Google Inc.
Registrant type:
Registrant's address:
1600 Amphitheatre Parkway
Mountain View
United States
Markmonitor Inc. t/a Markmonitor [Tag = MARKMONITOR]
Relevant dates:
Registered on: 14-Feb-1999
Expiry date: 14-Feb-2013
Last updated: 10-Feb-2011
Registration status:
Registered until expiry date.
Name servers:
WHOIS lookup made at 23:20:53 03-Jul-2012

Ok, so we have a home address for our company – this example isn’t the most detailed, but you can often glean names, e-mail addresses and phone numbers from a whois lookup. It’s good if you can get an e-mail address – these will start to give you an idea of what the common format is that is used within the company – e.g. first initial last name (sbiles) or first name.last name (simon.biles) or if there is a complicator (simon.biles100) [incidentally these are all real addresses at various organisations I've worked at]. Remember this, it will come in useful later.

If we have a look at the website of our target itself, it is most likely that there will be good information there too – names, addresses, phone-numbers and e-mails are all good. Also, look out for support contact details, FTP site details and logins for example, social networking links etc. All of this is grist to the mill – potential routes of later attack, sources for social engineering, logins to systems that will get you past the first line of defence. Take a note of product names as well, these are often used as “guest” login details for FTP sites too – “producttrial” as both the username and password for example – for sales staff to use with customers. If you are planning a social engineering phase, it can be beneficial  to take copies of web-pages ( faking a login page ), logos ( faking business cards and documents ) and other official looking documents and marketing material – I personally dislike performing social engineering, it’s often the easiest way to get into somewhere – if you are going to do it, make sure that you agree with your client in advance that there will be no repercussions for any member of staff that you succeed in manipulating, and that anonymity will be preserved – it could be an unlucky ring of the phone that costs someone their job otherwise.

Where next ? Google. Google is your friend – it is one of the most amazing tools available, not only having a huge index of things that are current, but also cached copies of things that might not be so current. Googling well is a skill, not unlike that of writing search queries for Forensic searches – just Google is a lot faster than EnCase or FTK over a much bigger data set...

Read more

Thursday, July 05, 2012

Interview with John H. Riley, Bloomsburg University of Pennsylvania

John, can you tell us something about your background and why you decided to teach digital forensics?

First, thanks for the opportunity to discuss our program. We're really proud of what we've accomplished here and believe we're contributing to the digital forensics community. I started as a mathematician (Ph.D., University of Connecticut, 1980) and then began to teach computer science as well as mathematics in the 1980s. I wrote two programming textbooks (Pascal, for the old timers). About six or seven years ago, my department was investigating majors that would be good for students. We decided upon computer forensics. It is an interesting, useful field of study that has worked really well for us and our students.

On the intellectual side, I find the whole issue of what information can be found and how it can be used to build a story quite fascinating. "Story" here means a narrative that shows what happened, in a rigorous sense (a la a mathematician's proof). As a professor, it's really fun to work with digital forensics students. Our curriculum has a lot of hands on work so we see our students really digging into things. The ultimate reward is seeing them graduate and begin work. I must note that I've had really great colleagues, particularly Scott Inch, to work with. I also am grateful to the larger forensics community for their help.

What digital forensic courses are currently offered by Bloomsburg University?

Introduction to Digital Forensics, File Systems 1 and 2, Digital Forensics Software, Advanced Topics in Digital Forensics, Small Devices Forensics, UNIX/Linux for Digital Forensics.

Tell us more about course structure and content. What core knowledge and key skills should students gain by the end of their studies?

The first five courses listed above (along with some computer science and other courses) form the backbone of our major. They cover the artifacts that can be found on a computer (and how they come to be), how the artifacts can be extracted in a forensically sound manner and how they can be linked together and presented or reported. As an example, students know why a deleted file may or may not be able to be recovered, how to use a tool like EnCase or FTK (or even a hex editor) to recover it, how it might be related to a link file or a registry entry, how to ensure its integrity after extraction using a hash function and how to include it in a report. We stress the importance of knowing how the computer is organizing files and generating artifacts so that what a tool produces is understood. Our graduates are prepared to defend their results. We also put this work in context. It's not just finding a deleted file, it's finding evidence which may change a person's life. So beyond knowledge and skills, we foster a sense of responsibility and integrity...


Thursday, June 28, 2012

An Introduction to Penetration Testing – Part 1

by Si Biles

In an earlier article, many moons ago (Sorry Jamie !), I stated my opinion that Forensics and Security were opposite sides of the same coin. I’ve felt very strongly that my skills as a Security Consultant have only been strengthened and expanded by the experiences I’ve gained with Forensics, both as part of the Forensic Focus community (again, apologies for my absence) and as part of my MSc (an ongoing epic spanning two Universities and many years).

There is a particular area of Security work that I think mirrors the skill set of Forensics more closely than others – and that is Penetration Testing. PenTest is probably the most bleeding edge, exciting and intellectually challenging thing in the InfoSec field – no matter how much I try, I struggle to get as excited about writing an “Acceptable Use Policy” as I do given free rein to attempt a “capture the flag” task on a corporate network. (That’s not to say that AUPs don’t have their own excitements … nah, I’m kidding, but they are important – like eating your vegetables…) – at the same time though, the same measured and methodical approaches and investigative skills that apply in Forensics, apply in PenTest.

Over the next few articles ( I don’t know how many yet, I’ve not written them – but I’m aiming to get an update to you fortnightly ) I’d like to take you through a high level PenTest methodology, showing you some of the tools and toys that you can play with along the way, at the end of it all, my intent is to run a competition (with a small prize for the winner – something like an iPod Nano perhaps?) of a live machine ( or machines … ) connected to the internet that you can all have a pop at – rules and scoring criteria yet to be determined – and will have to write a short report on. ( Not that report writing will phase a single Forensicator! )

In any case, let’s start with outlining the basic methodology – remember, like Forensics, many parts of a PenTest methodology are iterative, as you learn more in one phase, you may want to return to an earlier phase and see what further advances you can make with your new-found knowledge.

Read more

Friday, June 15, 2012

Interview with Professor Golden G. Richard III, University of New Orleans

Golden, can you tell us something about your background and why you decided to teach digital forensics?

I studied computer science at the University of New Orleans, then went to Ohio State to get an M.S. and Ph.D. My evil plan to try to return to New Orleans worked, when a job opening at UNO appeared just as I was finishing up at Ohio State. I made a single job application (which slightly annoyed my advisor) and got the job.

I've been teaching at UNO since 1994. I've been "hacking" (in the positive since of the word) since I was about 13--that's 35 years ago, although I don't really feel that old. Yet. I've always been interested in operating systems internals, filesystems, etc. When I met some people around 2001 that were starting a digital forensics conference, I realized that there could be a formal point and a focus for my tinkering. I started doing formal research in digital forensics around 2002 or so and classes in digital forensics at the University of New Orleans followed around 2003.

What digital forensic courses are currently offered by the University of New Orleans?

We currently offer a bunch of security courses that have slightly overlapping content. There are two core digital forensics courses, CSCI 4623 and CSCI 6621, which are undergraduate/graduate mix and graduate only, respectively. CSCI 4623 is an introductory course and includes a bunch of hands on stuff in my lab. CSCI 6621 is primarily a research course, where graduate students come up to speed on the state-of-the-art in digital forensics research, tools, etc. It's driven primarily by reading papers, but with some lab work as well. We also offer courses in reverse engineering (basically, a malware course), kernel exploitation, network penetration testing, and of course a basic computer security course. Each of these has at least some forensic component.

Tell us more about course structure and content. What core knowledge and key skills should students gain by the end of their studies?

The idea with each of our security courses is to cover foundational stuff and to reinforce that with extensive labwork. For the intro forensics courses that means I lecture using Powerpoint, do walkthroughs that illustrate a point, and then students actually do forensics in the lab. For the reverse engineering class, for example, it's similar--learn about particular aspects of malware, but then actually reverse engineering real viruses on your own. We're not a trade school, so fundamentals are tool agnostic, but we have licenses for major commercial forensics and reverse engineering software so students are exposed to the "real stuff"...

Read more

Thursday, May 17, 2012

Interview with John Patzakis, Founder and CEO of X1 Discovery

John, the last time you were interviewed at Forensic Focus you were the Vice Chairman and Chief Legal Officer at Guidance Software. Now you're the founder and CEO of X1 Discovery - tell us about that move.

I am proud to have been a co-founder and part of the senior team at Guidance Software for ten years. The early days at Guidance were exciting as we sowed new fields, just as we are doing now at X1 Discovery. At Guidance, we first pioneered Windows-based forensics, which was the new paradigm and represented an order of magnitude improvement over Dos-based forensics. Then circa 2004, we introduced and championed the concept of enterprise in-house eDiscovery, a strategy that ended up being Guidance’s main force of growth leading to our IPO in 2006.

So after leaving in 2009 and engaging in consulting projects through 2010 I began discussions with X1, an Idealab Company that I always thought had excellent search technology for both the desktop and the enterprise. At first the intent was to sit on the board as an investor but then I learned about the IP they were developing for social media, and I also became excited about the promise of X1’s enterprise server to be a very robust eDiscovery early case assessment and first pass review solution. So to make a long story short, the board at Idealab – which is our parent company -- offered to have me head up X1 Discovery as a spin-off to X1 Technologies, with ownership of all our intellectual property. It was a great opportunity and the Idealab board has been very supportive and enabled me to recruit some outstanding talent and assemble a great team.

What does X1 Discovery do? What makes it different from the other eDiscovery companies which have entered the market in the past few years?

At X1 Discovery we are pioneering the new fields of forensics and eDiscovery of social media and cloud-based data. I have always been interested in where the puck is going as opposed to where it is now, and we believe the X1 Discovery’s disruptive technology is already years ahead of the field. We accomplished this by leveraging our vision and industry experience to effectively build on the patented X1 Search Technology.

Tell us more about your products, X1 Social Discovery and X1 Rapid Discovery.

X1 Social Discovery, launched in October 2011, is basically like EnCase or FTK for social media and website collection. It is a desktop application specifically designed for computer investigators and legal professionals that we believe is the clear market leader in its class. X1 Social Discovery’s two core benefits are scalability and defensibility. It can collect tens of thousands of social media items in a few hours and up to millions in a few days, and then instantly search and filter those items with the patented X1 fast-as-you-type indexed search. X1 Social Discovery is very defensible as we are establishing a chain of custody with case management, evidence segregation, logging, and MD5 hashing of all collected items. Also, social media sites are accessed read-only, which is important as visiting a live Facebook page can easily cause changes to the page and its metadata. Finally, we collect all available metadata on social media sites. A Facebook item alone has over two dozen unique metadata fields and we preserve and collect all of them.

Our other product, X1 Rapid Discovery is a proven, and now with the release of version 4, a truly cloud-deployable, eDiscovery and enterprise search solution that enables users to quickly identify, search, and collect distributed data wherever it resides in the IaaS cloud or within the enterprise. Just this past week we were the first eDiscovery company accepted into the Amazon Web Services (AWS) Solution Provider program. Importantly, its a non-appliance software solution that is very easy to install and configure. So in addition to the cloud, X1 Rapid Discovery is quickly deployed in the field on the investigator’s own hardware to collect data from servers and/or to index, cull and search through up to terabytes of collected data...

Read more

Tuesday, May 15, 2012

Interview with Noreen Tehrani, Applied Trauma Psychologist, NTA

Can you tell us something about your background and why you decided to work in the field of applied trauma psychology?

I have had a very mixed career; I have worked in medical research, as a retail operations director, property development, Head of a counselling service and running my own company. I think that the fact that I have had lots of experience doing different things has been really helpful to me. Although I love research, at heart I am a practitioner and enjoy working with people and organisations to help them to have happy and healthy lives.

I don’t think that I set out to be an applied trauma psychologist – it was just that the work was interesting and I could see that it helped people deal with difficult issues.

Tell us more about applied trauma psychology - what does your work involve and who do you aim to help?

I work with lots of different organisations and kinds of people. My main areas of expertise are in psychological trauma, bullying and harassment and psychological rehabilitation. I have worked with victims of major incidents such as 9/11 and the 7/7 bombings as well as natural disasters, transport deaths, rapes and other crimes. My goal is to help organisations prepare for crisis and disasters by training and preparing their employees and when a crisis occurs to help the organisation to deal with it to limit the damage caused to the workforce. I have developed a number of psychological tools which help people to recover from stress, burnout and psychological trauma.

What experience have you had working with digital forensics professionals?

The first time I worked with digital forensic professionals was around ten years ago. A commercial forensics organisation had taken over some work on Operation Ore and the young forensic examiners were having problems in dealing with the impact of the images they were assessing. I later became involved in supporting other forensic examiners who were working in Eastern Europe where they felt that they were in very threatening working environments with little support. More recently I have become more involved with law enforcement officers working with child abuse. This is a really interesting area of work and I find that the people involved in this work are really dedicated and keen to push the boundaries of their knowledge of computer forensics to the limits.

What are the short and long term effects of working with the kind of disturbing material which digital forensics examiners often encounter in their work?

I think that it is relatively easy to see that some people will never be able to deal with the distressing images, sounds and dialogue that are part of the examiners world. Some people fail within the first few days of being exposed to the material. However, perhaps more difficult is the slow grinding down of the digital examiner's resilience which can happen over months or years. People who have handled this kind of work may suddenly find that they are unable to deal with it any more. I think that most people have a “shelf-life” for dealing with the most distressing material and need to take a break. The initial reaction to distressing material is the shock and disgust it causes, the fact that people will do things that most of us could never imagine. This is particularly distressing when the victim is a child. The real problems relate to the trauma reactions that this shock can create. The way our brains work is to try to protect us from anything that could cause harm. The common response to a traumatic exposure is to a) try to avoid further exposure b) become hyper alert or aroused to the material or thoughts about the material and c) to have dreams, flashbacks or constant thoughts about the exposure. People can also become irritable, detached and start using “self-medication” (caffeine, alcohol, drugs – prescribed and otherwise) to handle their symptoms. Often relationships suffer as normal loving relationships are affected by the impact of the material...

Read more

Wednesday, April 18, 2012

Interview with Keith Cottenden, Forensic Services Director, CY4OR

Can you tell us something about your background and how you became involved in digital forensics?

I spent 22 years in the Royal Air Force Police specialising as a Counter Intelligence and Information Technology Security investigator; supporting criminal and security investigations by the examination of recovered computer media, using recognised forensic techniques. I have over twenty years experience of carrying out computer audits and investigating incidents of computer misuse, virus attacks, hacking and loss & theft of data. I have been in the private sector, specialising in digital forensics, for the last 8 years and have worked on behalf of law enforcement agencies, solicitors and corporate clients on a variety of UK based and international cases.

What services does CY4OR offer?

CY4OR is recognised as an industry leader in the investigation of serious and complex crime, and civil litigation cases. We have extensive experience in conducting investigation on a broad range of digital media including computers, mobile devices and audio and visual analysis. We compliment our forensic offering with full eDisclosure, cell site analysis, data recovery, data destruction, vulnerability assessment and penetration testing services.

What is your own role?

I am responsible for directing all investigation and consultancy services; accountable to the board for all operational and technical aspects of the business.

Tell us more about CY4OR's growing focus on eDisclosure and eDiscovery. How important have those services become compared to "traditional" computer forensics?

eDisclosure was a natural progression from digital forensics for CY4OR. Both disciplines involve handling data in a manner that ensures preservation and interpretation. We have moved with the industry and as litigation and regulatory pressures are now a fact of life for many organisations, as well as dealing with an ever increasing amount of electronic data, edisclosure is now becoming the norm in many cases...

Read more

Friday, April 13, 2012

Exploded Car for Digital Forensics Students Tutorial

University forensics students sift through exploded car to find digital data for use in mock trial (YouTube Video)

Tuesday, April 03, 2012

Overcoming Potential Legal Challenges to the Authentication of Social Media Evidence

Social media evidence is highly relevant to most legal disputes and broadly discoverable, but challenges lie in evidentiary authentication without best practices technology and processes. This whitepaper examines these challenges faced by eDiscovery practitioners and investigators and illustrates best practices for collection, preservation, search and production of social media data. Also highlighted in this paper are examples of numerous unique metadata fields for individual social media items that provide important information to establish authenticity, if properly collected and preserved...

Read more

Wednesday, February 29, 2012

viaForensics releases 10 Android YAFFS2 images

The YAFFS2 file system is widely used in Android devices, but to date has not been supported by the leading open source forensic toolkit, The Sleuth Kit, commonly known as TSK. viaForensics has undertaken development to integrate YAFFS2 file system support in TSK and while the YAFFS2 analysis tools are still in development has created and verified multiple YAFFS2 images for educational purposes...

More (viaforensics)

Friday, February 24, 2012

What is it like being a digital forensics investigator?

A little bit of fun before the weekend...

Thanks to everyone who entered the "What is it like being a digital forensics investigator?" competition and congratulations to Infern0 for the winning entry - watch the video here!

Wednesday, February 22, 2012

Another Judge Rules Encryption Passphrase not Testimonial Under Fifth Amendment Analysis

Posted by

I previously discussed, on a bar association section blog in 2007 and 2009, the case of In re Boucher, where a U.S. judge for the District of Vermont ruled that requiring a criminal defendant to produce an unencrypted version of his laptop’s hard-drive, which was believed to contain child pornography, did not constitute compelled testimonial communication. The circuit court appeal in Boucher was dropped, but a new case has surfaced in the U.S. Court for the District of Colorado, United States v. Fricosu. There, a bank fraud defendant’s home was searched pursuant to a warrant, and a computer seized which held encrypted files. Further, Defendant provided evidence indicating her ownership computer, that she knew it was encrypted, and that it contained inculpatory evidence...

Read more

Tuesday, February 21, 2012

Interview with Yuri Gubanov, Founder of Belkasoft

Yuri is the founder of Belkasoft, an independent software vendor specializing in computer forensics and system software for the Windows and Mac OS platforms.

Yuri, can you tell us something about your background and who you are?

I have a degree in mathematics and software engineering. I graduated with honors from St-Petersburg State University, Mathematical and Mechanical faculty. This is one of the oldest and best universities in the second largest city in Russia, famous for its white nights in June when you can even read at night being outside...

Read more

Monday, February 13, 2012

Forensic Focus site redesign

A short advance warning that I'm planning to make some changes to the site design this evening. There won't be any major changes, just a refresh to give what I hope will be a cleaner, more professional look with somewhat less clutter than we have at the moment.

As a result of the above, expect the site to be offline for a few hours starting at around 7PM GMT (I'll try and keep downtime to a minimum).



Tuesday, January 24, 2012

Harry Onderwater

A few days ago the Dutch forensics community - indeed, the wider forensics community - lost one of its founding fathers, Harry Onderwater.

Having worked for many years for the Dutch police in Amsterdam, Harry then moved to the Centrale Recherche Informatie Dienst (National Criminal Intelligence Service) where he became one of the first investigators in the newly emerging field of computer crime, building a reputation for excellence not just in the Netherlands but also further afield throughout Europe and the USA. Later in his career he became Corporate Security Manager at KPMG in the Netherlands where he also played a leading role in digital forensics.

It is difficult to describe Harry without resorting to cliché, but he truly was a larger than life character. Behind his imposing physical presence - which must surely have worked to his advantage in his many years on the force - lay a consummate professional and gentleman. Kind hearted, generous and possessing a wonderful sense of humour, Harry was always a joy to deal with. To the vast majority of those who met Harry through work, there is little doubt he will be remembered first and foremost as a friend rather than a colleague.

On a personal note, I would like to offer my sincere condolences to Harry's family and close friends. He has left us all too soon and will be deeply missed.

Bedankt, Harry, voor alles.