This week in Case Leads Apples security questions, Hacker gets caught via metadata, A DFIR wall poster will be available, a guide to Windows 8 forensics, a few tools have been updated and watching 182 superhero movies in under 5 minutes.If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to caseleads@sans.org.Tools: Simple Carver Suite just released version 4.7 which includes more tools to analyse and extract infromation from many different file types and utilities to assist in everyday tasks. The program can be found here. Oxygen Software Updates…
Digital Forensics
-
Most Topular Stories
-
"Digital Forensic Case Leads Getting caught via metadata, A Forensic Guide to Windows 8 and the New DFIR Wall Poster."
SANS Computer Forensics and e-Discovery with Rob Lee4 May 2012 | 12:41 am -
Trusted Adviser
Windows Incident Response5 May 2012 | 6:05 amI've blogged before regarding the need for a "trusted adviser" and I recently had an opportunity to respond to a query, and recommend yet again for a trusted adviser. This time, however, it was a little different, in that the initial question had to do with asking forensic analysts what they would do to educate prosecutors on what is available and what can be achieved from digital forensic analysis. The short story is...a lot. But that doesn't really help answer individual questions as they come up. So, providing an initial brief and then extending that to include something… -
"Digital Forensic Case Leads: Report from the Forensic Expert Witness Conference, Judge: Viewing CP might NOT be possession, Mac crypto bug helps forensicators"
SANS Computer Forensics and e-Discovery with Rob Lee10 May 2012 | 6:14 amWelcome to Digital Forensics Case Leads. Another a busy week in digital forensics, incident response and the law. In this edition: The SANS Computer Forensics Blog was at the Forensic Expert Witness Annual Conference, and your humble reporter asked a seasoned member of the bench: What is it like for a Judge to sit on the bench and digest the testimony of a foresicator / technical expert witness? * Another Judge rules that viewing CP might NOT be the same as possession under the law. * Has Law Enforcement tipped their hand in a report that spells out how to use anti-forensics to conduct… -
Approximating Program Execution via VSC Analysis with RegRipper
Windows Incident Response8 May 2012 | 3:26 pmI recently listened to Ovie and Corey on the latest CyberSpeak podcast, and wanted to combine what I'd heard them discuss with respect to the latest release of RegRipper, and provide a technique for analysis that incorporates VSCs.Now, one of the things we may run across during our analysis, if we create a timeline, is that we may have a Registry key that was modified in some way during a particular time window of interest. There are a number of Registry keys for which all we have available is a LastWrite time (which is analogous to a files last modification time) but we do not know… -
SEC Guidance Is a Really Big Deal
TaoSecurity14 May 2012 | 4:19 pmIn November I wrote SEC Guidance Emphasizes Materiality for Cyber Incidents, my thoughts after reading an article by Senator Jay Rockefeller and former DHS Secretary Michael Chertoff. They explained why the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC in October is a big deal. Since then I attended a conference on Director's and Officer's insurance in Connecticut, and spoke on a panel about that SEC guidance. During the conference I learned that the SEC guidance isn't a big deal -- it's a really big deal. We're talking a game changer, potentially on three fronts.
-
SANS Computer Forensics and e-Discovery with Rob Lee
-
"Digital Forensic Case Leads: Report from the Forensic Expert Witness Conference, Judge: Viewing CP might NOT be possession, Mac crypto bug helps forensicators"
10 May 2012 | 6:14 amWelcome to Digital Forensics Case Leads. Another a busy week in digital forensics, incident response and the law. In this edition: The SANS Computer Forensics Blog was at the Forensic Expert Witness Annual Conference, and your humble reporter asked a seasoned member of the bench: What is it like for a Judge to sit on the bench and digest the testimony of a foresicator / technical expert witness? * Another Judge rules that viewing CP might NOT be the same as possession under the law. * Has Law Enforcement tipped their hand in a report that spells out how to use anti-forensics to conduct… -
"Writing Malware Reports"
8 May 2012 | 4:41 amOne of the more common questions that people ask in the FOR610 (reversing) class is about writing malware reports. Specifically what should go into a malware report?The Guiding PrincipleWhen I get asked this question my first response is usually "well why did you do the exam?" Besides potentially being a bit cheeky, the reason I ask this question is because it highlights the fact that malware analysis is something that's usually done to facilitate investigations, incident response, etc. So the heuristic to use when deciding what to put into a malware report falls along the lines of "include… -
"Digital Forensic Case Leads Getting caught via metadata, A Forensic Guide to Windows 8 and the New DFIR Wall Poster."
4 May 2012 | 12:41 amThis week in Case Leads Apples security questions, Hacker gets caught via metadata, A DFIR wall poster will be available, a guide to Windows 8 forensics, a few tools have been updated and watching 182 superhero movies in under 5 minutes.If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to caseleads@sans.org.Tools: Simple Carver Suite just released version 4.7 which includes more tools to analyse and extract infromation from many different file types and utilities to assist in everyday tasks. The program can be found here. Oxygen Software Updates… -
"SANS DFIR Wall Poster Preview"
2 May 2012 | 10:22 pmThe SANS DFIR Wall Poster is complete. The poster is our first dedicated specifically for Digital Forensics and Incident Response analysts. The poster will be sent to your home as a part of the SANS NS2012 course catalog.How Do I Receive the Poster?To sign up to receive the poster automatically, you will need to have a SANS Portal account ... -
"Digital Forensics Case Leads: MBR Parser, VSC Toolset GUI, Memory Forensics Cheat Sheet & other goodness......"
28 Apr 2012 | 7:25 amIn this week's SANS Case Leads, we have a python script for parsing the Master Boot Record, a question of USB drive serial number uniqueness, some VSC goodness and some other stuff ;-)If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to caseleads@sans.orgTools: Jamie Levy (@gleeda) posted a script that she wrote that parses the MBR in order to help find MBR infectors. Read Jamie's Blog post. Grab the script here. Jason Hale came up with a GUI front-end for Corey Harrell's batch scripts used to rip/examine Volume Shadow Copies, called VSC Toolset DEFT…
-
Windows Incident Response
-
Approximating Program Execution via VSC Analysis with RegRipper
8 May 2012 | 3:26 pmI recently listened to Ovie and Corey on the latest CyberSpeak podcast, and wanted to combine what I'd heard them discuss with respect to the latest release of RegRipper, and provide a technique for analysis that incorporates VSCs.Now, one of the things we may run across during our analysis, if we create a timeline, is that we may have a Registry key that was modified in some way during a particular time window of interest. There are a number of Registry keys for which all we have available is a LastWrite time (which is analogous to a files last modification time) but we do not know… -
How not to get p0wned by RR v2.5
8 May 2012 | 11:55 amI recently provided a minor update to the RegRipper tools, moving to v2.5. As there was no modification to how the tools would interact with the plugins, I only provided the tools themselves, including both the Perl scripts (source code) and Windows executables, compiled via Perl2Exe. I did not include the contents of the plugins directory along with the distribution, as I figured folks who were using the tool would just copy the files over their current installation.Since the release of the updates, I've received a couple of comments about the RegRipper GUI not working… -
RegRipper: Update, Road Map
6 May 2012 | 7:50 amI thought that, due to some changes in how things were developing with respect to RegRipper, it was time to take a look at a couple of things that had been requested, and to go ahead and include some updates. After all, RegRipper hasn't been updated in a while...I'm not sure why it would need to be, in particular, as RegRipper itself seems to be doing well. I'd think that it would be the plugins that need updating, but there were a couple of things sitting scattered about my work bench that I could include in RegRipper. As such, I opted to break things out into an update for… -
Trusted Adviser
5 May 2012 | 6:05 amI've blogged before regarding the need for a "trusted adviser" and I recently had an opportunity to respond to a query, and recommend yet again for a trusted adviser. This time, however, it was a little different, in that the initial question had to do with asking forensic analysts what they would do to educate prosecutors on what is available and what can be achieved from digital forensic analysis. The short story is...a lot. But that doesn't really help answer individual questions as they come up. So, providing an initial brief and then extending that to include something… -
Links and Tools
4 May 2012 | 4:40 pmWindows 8 Forensics GuideYou can now find a free Windows 8 forensics guide over on the Propeller Head Forensics blog. Amanda's guide is a great way to get started learning about some of the new things that you're likely to see in Windows 8 (if you aren't already running the Consumer Review edition)I had an opportunity to meet and listen to Christopher Ard of MS talk about some of the neat new features of Windows 8 recently at the Massachusetts Attorney General's Cyber Crime Conference. I also sat in on Chris Brown's presentation on ProDiscover, and he stated that he's working on…
-
TaoSecurity
-
SEC Guidance Is a Really Big Deal
14 May 2012 | 4:19 pmIn November I wrote SEC Guidance Emphasizes Materiality for Cyber Incidents, my thoughts after reading an article by Senator Jay Rockefeller and former DHS Secretary Michael Chertoff. They explained why the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC in October is a big deal. Since then I attended a conference on Director's and Officer's insurance in Connecticut, and spoke on a panel about that SEC guidance. During the conference I learned that the SEC guidance isn't a big deal -- it's a really big deal. We're talking a game changer, potentially on three fronts. -
Clowns Base Key Financial Rate on Feelings, Not Data
21 Apr 2012 | 1:44 pmIf you've been reading this blog for a while, you know I don't think very highly of mathematical valuations of "risk." I think even less highly of the clowns in the financial sector who call security professionals "stupid" because we can't match their "five digit accuracy" for risk valuation. We all know how well those "five digit" models worked out. (And as you see from the last link, I was calling their bluff in 2007 before the markets imploded.) Catching up on last week's Economist this morning I found another example of financial buffoonery that boggles the mind. The article is online:… -
Salvaging Poorly Worded Statistics
4 Apr 2012 | 7:43 pmToday I joined a panel held at FOSE chaired by Mischel Kwon and featuring Amit Yoran. One of the attendees asked the following: At another session I heard that "80% of all breaches are preventable." What do you think about that?My brief answer explained why that statement isn't very useful. In this post I'll explain why. The first problem is the "80%." 80% of what? What is the sample set? Are the victims in the retail and hospitality sectors or the telecommunications and aerospace industries? Speaking in general terms, different sorts of organizations are at different levels of maturity,… -
Inside a Commission Hearing on the Chinese Threat
26 Mar 2012 | 7:09 pmThis morning I testified at the U.S.-China Economic and Security Review Commission at a hearing on Developments in China’s Cyber and Nuclear Capabilities. In the picture taken by Mrs Bejtlich (thanks for attending!) I'm seated at the far right. To my left is Nart Villeneuve. To his left is Jason Healey. As stated on their Web site, the U.S. Congress created the U.S.-China Economic and Security Review Commission in October 2000 with the legislative mandate to monitor, investigate, and submit to Congress an annual report on the national security implications of the bilateral trade and… -
Impressions: Fuzzing
14 Mar 2012 | 5:00 amFuzzing by Michael Sutton, Adam Greene and Pedram Amini struck me as a good overview of many types of fuzzing techniques. If you read the Amazon.com reviews, particularly the verdict by Chris Gates, you'll see what I mean. For my purposes, the degree to which the authors covered the material was just right. If you're more in the trenches with this topic, you would probably want more from a book on fuzzing. I liked the following aspects of the book: integration of history, real examples, diversity of approaches, case studies, and examples. I thought the book was easy to read and well…
-
8 bits
-
Facebook Graph analysis
10 May 2012 | 6:42 amI have started to work on my Facebook Graph analysis tool. Work in progress ... -
How to add custom jQuery script to Wordpress
9 Mar 2012 | 6:02 amThe ingredients to add a custom jQuery script to a Wordpress theme: 1) custom function in the theme’s functions.php file;2) jQuery file;3) add_action() line Before you start, please install the Google Libraries plugin ! 1) in [website root]\wordpress\wp-content\themes\current_theme\functions.php add these lines: <?php// My own nitwit jQuery scriptfunction nitwit () {wp_enqueue_script('shittycode', THEME . '/scripts/myscript/alert.js', array('jquery'), '1.0', false);} // End nitwit()add_action( 'wp_print_scripts', 'nitwit', 1… -
backup synology nas to amazon S3
20 Nov 2011 | 8:16 amAmazon S3 (http://aws.amazon.com/s3/) is storage for the Internet. It provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web. It gives any developer access to the same highly scalable, reliable, secure, fast, inexpensive infrastructure that Amazon uses to run its own global network of web sites. The service aims to maximize benefits of scale and to pass those benefits on to developers. In short: it's a nice remote place to store your precious backups !First, install these packages on your… -
How to run Python 2.7 on Synology NAS
6 Nov 2011 | 3:34 amA simple walkthrough to install Python 2.7 on Synology NAS: 1) install ipkg Read this blogposting for more information about installing ipkg: http://setaoffice.com/2011/04/08/how-to-install-compiled-programs-on-a-synology-nas/ 2) run 'ipkg update' 3) run 'ipkg install python27'It will install Python and all dependencies 4) now, the command 'python2.7' will start the Python command lineprint 'hello world'; There are many other packages which can be installed on the Synology NAS with Optware, take a look at this website:… -
SSH tunnel with Synology NAS
1 Nov 2011 | 10:14 amHere's my solution to create an SSH tunnel over Synology NAS, in order to browse the internet in a safe way. First, read this blogposting: http://setaoffice.com/2011/04/08/how-to-install-compiled-programs-on-a-synology-nas/ Install ipkg first, so you can install other packages like openssh, nano etc. afterwards: Log in to the NAS with SSH: ssh root@192.168.0.12login as: rootroot@192.168.0.12′s password: type your admin password here and press EnterDiskStation>DiskStation> cd /volume1/@tmp/DiskStation> wget…
-
digital forensics - Google News
-
Guidance Software demands legal aid for IT departments - IT PRO
16 May 2012 | 9:51 amIT PROGuidance Software demands legal aid for IT departmentsIT PROBy Caroline Donnelly, 16 May 2012 at 15:20 Digital forensics vendor Guidance Software is leading calls for greater collaboration between IT departments and corporate legal teams, as UK firms find themselves at greater threat from litigation. -
EC-Council Foundation Announces Innovative Child Online Protection Initiative ... - Houston Chronicle
16 May 2012 | 9:11 amEC-Council Foundation Announces Innovative Child Online Protection Initiative Houston ChronicleOnline Global Cyber Defense Competition comprised of computer network defense and computer forensics games that mimics real world scenarios to attract over 15000 players from 6 continents for both the high school and professional category.and more » -
Bit9 to Speak at CEIC 2012 on Cyber Forensics and Application Control - MarketWatch (press release)
16 May 2012 | 7:02 amBit9 to Speak at CEIC 2012 on Cyber Forensics and Application ControlMarketWatch (press release)The event offers more than 110 world-class learning sessions for attendees to gain insight from experts in computer forensics, e-discovery, cyber security, enterprise investigations, IT security and more. On Tuesday, May 22 at 2:00 pm, Ian Poynter, and more » -
CSI Victoria: gruesome history of forensics pioneer - Brisbane Times
15 May 2012 | 10:42 pmCSI Victoria: gruesome history of forensics pioneerBrisbane TimesCentury-old scrapbooks belonging to detective Frederick Piggott shed light on the early use of forensics in Australian policing. 15/05/12 Sorry. An error occured when submitting the form. Websites in the Fairfax Digital Network offer streaming video and more » -
Senior FBI Executive Keith Slotter Joins the Business Intelligence ... - EON: Enhanced Online News (press release)
14 May 2012 | 11:07 pmSenior FBI Executive Keith Slotter Joins the Business Intelligence EON: Enhanced Online News (press release)Stroz Friedberg is a global consulting and technology firm specializing in digital risk management and investigations. The firm delivers services and expertise in the areas of digital forensics, business intelligence and investigations, cyber-crime and and more »
-
digfor
-
USB Flash drive Serial Numbers - "UNIQUE"?
23 Apr 2012 | 2:10 amFormatted USB flash drives (a.k.a. thumb drives etc) have Volume Serial numbers generated when the new filesystem gets created. The algorithm depends on a file system and OS. Volume Serial number can easily be changed via hex editor at locations:FAT 12/16 - 4 bytes at offset 0x027FAT 32 - 4 bytes at offset 0x043NTFS - 8 bytes at offset 0x48or by using a myriad of free tools that can be found on the Internet. Volume Serial numbers are important from the forensic investigations stand point and there have been plenty of… -
HELLO - Almost missed it.
10 Apr 2012 | 10:32 amComputer Forensic tools are rapidly improving and make forensic examinations easier for the masses. Only a qualified forensic practitioner however can reliably produce consistently good results.For example at present no computer forensic tool can properly detect, search and index text in the Unicode escape sequence. I have recently been working with the image containing some iPad sqlite3 backup files and found an extremely important piece of evidence almost by accident. Well, not exactly by accident, just have been thorough really.\u0048 \u0045 \u004c \u004c \u004f means HELLO when you… -
Sharing
27 Feb 2012 | 5:49 amSharing information on the net has some risks associated with it. "..if you rear yourself against it, you shall fall, you shall be bruised, you shall be battered, you shall be flawed, you shall be smashed." Dickens, Bleak House (1853) Yet still, I would rather see more information and a healthy discussion or argument about the issue, than seeing nothing. I am glad to see more computer forensic blogs popping out, some of the are really great and some are just excellent. Periodically I get a chance to speak to a very knowledgeable people. These… -
PFX – Personal inFormation eXchange
16 Feb 2012 | 9:29 amA password and PFX file are needed to open encrypted e-mail messages, whose content is enveloped and attached as smime.p7m. PRTK does a good job at cracking passwords, but some PFX files have different headers which PRTK would not recognise. Chilkat Python Modules come pretty handy in this situation. Modules come with a fully-functional 30-day trial and need to be purchased for use beyond this period or for commercial purposes. I wrote a script, which is based on one of the Chilkat module examples to allow a dictionary attack on PFX and p7m encrypted message. The code is quick and… -
a couple of newly discovered tools
23 Nov 2011 | 7:20 amIt's been an extremely busy autumn for me. Whilst running around, I came across a couple of useful tools.SAFE (System Acquisition Forensic Environment) is Windows PE boot disk with built in software write blocking. I use Enterprise version, which requires a dongle only to start up the environment. The dongle then can be removed to start up the next machine. A bootable USB can also be created with SAFE USB Creator. There are several tolls listed as officially SUPPORTED by ForensicSoft, but plenty of other tools can also run just fine in this environment. To get the ability…
-
Forensic Focus
-
FBI: We need wiretap-ready Web sites - now
16 May 2012 | 6:12 amThe FBI is asking Internet companies not to oppose a controversial proposal that would require firms, including Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance. In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned... More (CNET) -
Interview with Noreen Tehrani, Applied Trauma Psychologist, NTA
15 May 2012 | 6:45 amWhat are the short and long term effects of working with the kind of disturbing material which digital forensics examiners often encounter in their work? I think that it is relatively easy to see that some people will never be able to deal with the distressing images, sounds and dialogue that are part of the examiners world. Some people fail within the first few days of being exposed to the material. However, perhaps more difficult is the slow grinding down of the digital examiner's resilience which can happen over months or years. People who have handled this kind of work may suddenly find… -
Job Vacancy: Assistant Manager - Computer Forensic, London - Up to £48K
14 May 2012 | 8:27 amClient is seeking an assistant manager to join their Forensic Technology team, specialising in the capture and analysis of forensic data. Role Responsibilities:- Assist the Forensic team in imaging and search of imaged data Assist with production of data Undertake research and assist with maintenance of databases Forensic examination of mobile devices Read more here or contact Dave on 0207 297 9692 or email dt@warnerscott.com -
Group-IB Releases 2011 Report on Russian Cybercrime
14 May 2012 | 8:14 amGroup-IB, a leading Russian cybercrime investigation and computer forensics company and LETA Group subsidiary, has announced a 28-page report on the Russian cybercrime market in 2011. Analysts from Group-IB's computer forensics lab and its CERT-GIB unit prepared the report. The report outlines the main risks associated with various types of hacker activities, analyzes the main trends in the development of the Russian cybercrime market, estimates the shares and the financial performance of the Russian segment of the global cybercrime market, and forecasts market trends for this year. A summary… -
Job Vacancy: eDiscovery Forensic Consultant - London £30-£65k
11 May 2012 | 4:46 amE-Discovery Consultant is required for a leading management, IT and technology consulting firm with experience in Nuix, Relativity, EnCase and Forensic. The E-Discovery Consultant will be primary responsible for supporting electronic discovery projects. This is an excellent opening for an experienced E-Discovery Consultant who has experience of forensically collecting data and conducting basic forensic tasks. CV's to phil@propriusrecruitment.com or call 020 7618 0965 for a confidential chat. Read more
-
(ISC)2 Blog
-
Dotted lines in shifting sands
14 May 2012 | 5:02 pmAn opinion piece regarding a possible US law change raises fascinating ethical questions about privacy rights. Whereas employers have some interest in what their employees are saying and doing in their personal/non-work time, employees also have reasonable expectations of privacy concerning their private lives: OPINION: On the battlefield of the Internet, the Privacy Platoon struck a clanging blow against the Transparency Brigade last week, when two members of Congress introduced the Social Networking Online Protection Act. The bill would bar employers from demanding job… -
Security Provisions In Software Development Contracts - Who Pays?
14 May 2012 | 2:12 pmIn the last few years, there has been a rise in the number of security vulnerabilities in software and applications which has ultimately led to huge losses in terms of money, trust and morale of the people using the software. Software development companies are always on the edge of their seats to get the software out of production and onto store shelves to stay on top of the game and the market. Vendors aim to have their software developed fast, cheap and qualitatively excellent. But, software which is fast and cheap and won’t have desired quality; software which is qualitatively excellent… -
The Ethics of White Hat Hacking
11 May 2012 | 10:48 amFrom the early hacker culture that took its form and shape at the Massachusetts Institute of Technology (MIT) during the late 50s and early 60s to the present day groups of hackers, a lot has changed in the world of hacking in terms of ethics, motives, objectives, goals and incentives. Hacking, from what was considered to be a philosophy, a new way of life and a dream has now taken of a more derogatory form which feasts upon the exploitation of known and unknown vulnerabilities for illegal, unlawful financial, moral or political gains… -
FedRAMP 3PAO Program – Have we Heard of this Idea Before?
21 Apr 2012 | 5:47 pmIn a packed auditorium in 2006, I recall sitting in the “Red Auditorium” at NIST to participate in a workshop hosted by the Computer Security Division. The goal of the workshop was to discuss the implementation of Phase II of the FISMA Implementation Project. At the time, the Phase read like this: “The second phase of the FISMA Implementation Project focuses on the development of a program for credentialing public and private sector organizations to provide security assessment services. Security assessment services involve the comprehensive assessment of the management,… -
Security Breach in CA Networks -Comodo, DigiNotar, GlobalSign
4 Apr 2012 | 9:58 amby Ravi Mandalia Executive Summary Since March, 2011 more and more Cyber attacks are surfacing across the globe with damaging consequences both for the companies that faced the attacks and for the customers whose details were stolen. One such attack was on Sony’s PlayStation Network that resulted into breach of personal details of nearly 70 Million customers. Some of the other cyber attacks of 2011 are RSA, Lockheed Martin, Gmail accounts of U.S. politicians, CitiGroup, IMF, etc. Considering that the above attacks are particularly high profile and are more or less detached from our day to…
-
viaForensics
-
Companies slow to react to mobile security threat
14 May 2012 | 12:18 pmAlmost 9 out of 10 employees use their personal mobile devices for work. And less than half of those people are taking any sort of security precautions. “The findings, released this week, point to the need for all C-level executives to start taking mobile security seriously to avoid giving hackers an open door to the corporate network.” Juniper found that 89 percent of business users, often called prosumers, are using their personal devices to access what the vendor says is “critical work information.” More than 40 percent of that group is using their tablets and… -
Card Forum and Expo – Ensuring Security on Mobile Devices – May 2012
13 May 2012 | 3:22 pmThe following presentation was delivered by Ted Eull at the 24th Annual Card Forum and Expo in Orlando, FL on May 11, 2012. Browse the slide images in the gallery below. A PDF version is available; make sure you are registered on the site and then use this link: PDF Download For more information about the UK Channel 4 News Special regarding contactless credit cards, please visit the following blog entry. viaForensics-AmericanBanker-CARDFORUM12-final (1) viaForensics-AmericanBanker-CARDFORUM12-final (2) viaForensics-AmericanBanker-CARDFORUM12-final (3)… -
Mobile Security Engineers/Hackers Wanted (in a good way)
10 May 2012 | 5:39 amviaForensics is an innovative digital forensics and security firm. We serve commercial clients as well many government agencies. viaForensics applies the science of forensics in a proactive manner in order to assist our customers manage sensitive data related issues. Our primary focus is mobile security. Smartphones and tablets present unique security challenges as they are fully functional computers which are extremely mobile. They run complete operating systems and are wirelessly connected to the Internet and other networks via high speed connections. They also possess large amounts of… -
Five Shocking Statistics From The Latest Internet Threat Report
7 May 2012 | 12:55 pmSome interesting statistics from Symantec’s threat report — Religious sites = bad; porn = good. Religious and ideological sites had triple the average number of threats per infected sites that pornographic Web sites, Symantec reported in its 2011 Internet Security Threat Report (ISTR). The report found a mix of trends that – with spam levels dropping, even as attacks mounted in 2011. Here are some of the surprising findings of the Symantec report. Porn sites – clean, not dirty: Pornography-themed Web sites have long had a reputation as the “dark alleyways”… -
How far behind is Apple’s security?
1 May 2012 | 6:28 pmKaspersky Lab founder Eugene Kaspersky made headlines last week when he declared that Apple was “10 years behind Microsoft in terms of security.” Kaspersky was referring to the recent spread of the Flashback family of malware, which was greatly aided by Apple’s long delay in patching a known software flaw. But is Apple really 10 years behind the times? “I’d say that Apple’s got another 10 years to go before their security will become as much of a laughingstock as Microsoft’s,” said Jonathan Zdziarski, author of “Hacking and Securing iOS…
-
Crime and Forensic Blog
-
New forensic tool for determining birth year of unidentified bodies
9 May 2012 | 12:07 pmIt is difficult to determine the age of a corpse, particularly if it has been dead for awhile or it was involved in a natural disaster such as an earthquake or tsunami, unless the body is obviously that of a child or a much older individual. Age determination can be very useful in narrowing down the possibilities of who the body may have been especially in a mass casualty type incident. Teeth have always been used to try to make an age determination of a body, but once a person reaches adulthood, signified by the appearance of wisdom teeth, it is impossible to determine exact age by… -
Etan Patz & the Missing Children Movement
8 May 2012 | 3:50 pmby Sarah Rosenstein On May 25, 1979, 6-year-old Etan Patz disappeared while walking to a bus stop two blocks from his home in lower Manhattan, New York. Etan’s body was never recovered and no one was ever officially convicted of the crime. Many people might remember Etan as the first child to be pictured on the side of a milk carton. This was one of the first methods used to stimulate public awareness and would later set the Missing Children Movement in motion. In addition to Etan’s disappearance, other incidents during the late 1970’s and early 1980’s mobilized the missing child… -
Criminal Lineup Process
4 May 2012 | 12:45 pmby Grace Park Centuries ago when forensic science was not an established application to police investigations, eyewitness testimonies were the go-to method for collecting the facts of the crime. Nowadays, eyewitness accounts are not reliable for many reasons, one being that police may lead, intentionally or unintentionally, eyewitnesses towards a certain suspect. An honest and thorough procedure of the visual account needs to be encouraged amongst investigators. For this reason, the House of Representatives passed a bill on May 1 changing police conduct during criminal lineups to improve… -
The Teardrop Rapist Returns
3 May 2012 | 9:14 amby Grace Park Since 1996, a serial rapist in the Los Angeles area has been terrorizing women. Although attacks were suddenly halted in 2005, the rapist claimed his 28th victim late in 2011. This alarming news for Los Angelians has startled the community and drove the police community to warn young women walking in the late or early morning hours. A unique feature of the serial rapist is his tear-drop tattoo on his face; however, it appears that the perpetrator may have removed his tattoo during his hiatus of 6 years. Police believe that the hiatus is due to the suspect being locked up for a… -
Connecticut moves to abolish the death penalty
3 May 2012 | 8:44 amby Eden Pecha The 86-62 vote in the Democratic-controlled House followed last week’s Senate vote and sends the bill moving to abolish the death penalty to Governor Dannel Malloy, who has vowed to sign it into law. The House vote follows a 20-16 vote in the Democratic-controlled Senate on April 5 to repeal the death penalty. Once signed into law, Connecticut will become the fifth U.S. state in five years to remove the death penalty, following Illinois, New Mexico, New Jersey and New York. Connecticut’s removal of the death penalty would replace it with life in prison without the…
-
Forensics from the sausage factory
-
Windows Live Messenger – MessengerCache folder
15 May 2012 | 6:36 amA recent case was unusual because most of the ipoc were located by the police examiner in a folder entitled MessengerCache at the path C:\Users\<user_name>\AppData\Local\Temp\MessengerCache. My mission was to have a closer look at how this folder is utilised by the program Windows Live Messenger. The folder is a hidden folder and is used for various purposes by WLM. I found that the folder can be used to store the user tile (this may be an icon or a thumbnail photograph or graphic) and theme picture of a remote contact. Of course the remote user (who could be anywhere in the… -
Old Servers never die – unfortunately
15 May 2012 | 5:39 amBut you can bet your last penny that at some stage you will have to image them. That is the problem I faced one wet weekend recently when I was required to image an HP behemoth resplendent with two sizable raid 5 arrays and two USB 1 ports. All drive bays and ports were in use so I could not insert a new drive into the box to image it and I didn’t fancy imaging all the elderly SCSI raided hard drives separately. I was permitted to shut down the server and had decided to boot the box to a forensic linux distro that had suitable HP Raid Controller drivers. The problem I… -
Adobe Bridge CS3 and some MySQL stuff
8 Feb 2012 | 8:05 amLike buses – you wait all day for one and then two come along at once! A recent case involved a number of images found within a file entitled FileSystem_Nodes.MYD on an Apple Snow Leopard box. The indictment referred to each image by its File Offset and the date of the offence was particularised with an arbitrary date relating to the date of seizure. The forensic investigator had not presented any further evidence relating directly to the images. The path to FileSystem_Nodes.MYD was~\Library\Caches\Adobe\Bridge CS3\Cache\data\BridgeStore\FileSystem_Nodes.MYDand… -
Missing in action
8 Feb 2012 | 5:49 amNo not me (although I have been missing for some time!) I’m talking about the registry keyHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeepFor those of us looking at dead boxes this key can be found within each users NTUSER.dat registry file and is used to record how many days history Internet Explorer keeps for the particular user. As many of us know the default is 20 days. In a recent case the value of this key was pertinent and when I went to examine it on two separate boxes I found it was missing.For the record one box was… -
SQLite overflow pages and other loose ends...
2 Jul 2011 | 5:10 pmThis is the fourth post dealing with the elements making up SQLite databases and complements the previous three:Carving SQLite databases from unallocated clustersSQLite Pointer Maps pagesAn analysis of the record structure within SQLite databasesWe will remember from these previous posts that:The entire database file is divided into equally sized pages - SQLite database files always consist of an exact number of pagesThe page size is always a power of two between 512 (29) and 65536 (216) bytesAll multibyte integer values are read big endianThe page size for a database file is determined by…
-
DFI News RSS Feeds
-
AIS Inc. Announces MacResponse LE
15 May 2012 | 7:00 pmAIS, Inc. announces the availability of their newest software product, MacResponse LE™. MacResponse LE is designed to provide law enforcement with critical capabilities needed to reliably collect and analyze data from live computer systems running various versions of Mac OS X. MacResponse LE was developed by AIS, Inc. through a National Institute of Justice (NIJ) Electronic Crime grant and is available for free. read more -
Operation Phish Phry Catches International Hacking Ring Manager
15 May 2012 | 7:00 pmA principal figure in the domestic arm of an international “phishing” operation that used spam e-mails and bogus websites to collect personal information used to defraud American banks was sentenced to five years in federal prison. Nichole Michelle Merzi, 26, of Oceanside, was sentenced in the fraud case by Senior United States District Judge Terry J. Hatter, Jr. read more -
Book Review: The Basics of Digital Forensics
15 May 2012 | 7:00 pmAs the title indicates, “The Basics of Digital Forensics” by John Sammons covers many of the basic concepts and principles of digital forensics. At first glance, it appears that the book is only intended to provide an overview of the discipline for those who are considering a career in digital forensics. However, that is not necessarily the case. read more -
Data Killer Erases Incriminating Digital Evidence
15 May 2012 | 7:00 pmby Max Eddy For when the police are knocking at your door and you have piles and piles of hard drives filled with stolen credit card info, CIA secrets, duck porn or pirated movies (take your pick) there comes this product from Platform of Japan. Called the Data Killer, its a line of products that instantly erases a hard drive, or 14 hard drives, or an entire freaking laptop. read more -
Man Stabs Computer to Hide Child Porn from FBI
15 May 2012 | 7:00 pmby Nate Anderson When FBI agents burst into his bedroom, they found Kamil Mezalka standing in his underwear, clutching a two-handed samurai sword that he had just plunged into the side of his desktop computer. The feds were there to question him about 4,000 images and videos of child pornography they believed were linked to his account; Mezalka was apparently trying to destroy the evidence. read more
-
Forensic Focus Blog
-
Interview with Noreen Tehrani, Applied Trauma Psychologist, NTA
15 May 2012 | 6:52 amCan you tell us something about your background and why you decided to work in the field of applied trauma psychology? I have had a very mixed career; I have worked in medical research, as a retail operations director, property development, Head of a counselling service and running my own company. I think that the fact that I have had lots of experience doing different things has been really helpful to me. Although I love research, at heart I am a practitioner and enjoy working with people and organisations to help them to have happy and healthy lives. I don’t think that I set out to be an… -
Interview with Keith Cottenden, Forensic Services Director, CY4OR
18 Apr 2012 | 5:17 amCan you tell us something about your background and how you became involved in digital forensics? I spent 22 years in the Royal Air Force Police specialising as a Counter Intelligence and Information Technology Security investigator; supporting criminal and security investigations by the examination of recovered computer media, using recognised forensic techniques. I have over twenty years experience of carrying out computer audits and investigating incidents of computer misuse, virus attacks, hacking and loss & theft of data. I have been in the private sector, specialising in digital… -
Exploded Car for Digital Forensics Students Tutorial
13 Apr 2012 | 5:17 amUniversity forensics students sift through exploded car to find digital data for use in mock trial (YouTube Video) -
Overcoming Potential Legal Challenges to the Authentication of Social Media Evidence
3 Apr 2012 | 6:08 amSocial media evidence is highly relevant to most legal disputes and broadly discoverable, but challenges lie in evidentiary authentication without best practices technology and processes. This whitepaper examines these challenges faced by eDiscovery practitioners and investigators and illustrates best practices for collection, preservation, search and production of social media data. Also highlighted in this paper are examples of numerous unique metadata fields for individual social media items that provide important information to establish authenticity, if properly collected and… -
viaForensics releases 10 Android YAFFS2 images
29 Feb 2012 | 5:34 pmThe YAFFS2 file system is widely used in Android devices, but to date has not been supported by the leading open source forensic toolkit, The Sleuth Kit, commonly known as TSK. viaForensics has undertaken development to integrate YAFFS2 file system support in TSK and while the YAFFS2 analysis tools are still in development has created and verified multiple YAFFS2 images for educational purposes... More (viaforensics)
