Over the last several years, I’ve posted a handful of short blog entries about the topic of compelling a criminal defendant to surrender a passphrase to an encrypted volume or hard-drive. These entries concern the three cases of re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, United States v. Fricosu, (D.Colo, 2012), and In re Grand Jury Subpoena (Boucher), 2009 U.S. Dist. Lexis 13006 (D. Vt., 2009). I have developed the opinion —admittedly, more on hunch than scholarly research— that a defendant should not be able to knowingly withhold a passphrase or password to an evidence trove any more than he should be permitted to hang on to a physical key that could be used to open a safe that the Government has a valid warrant to search, and which is believed to contain evidence. Unfortunately, I have found myself on the wrong side of this issue...

Read more

• Posted by: jamie
• Topic: Links
• Score: 0 / 5
• (1166 reads)

• comments?
• Printer Friendly Page
• Send to a Friend

In this post, I will provide some initial impressions and findings. I do not endeavor to write a white paper, or to employ an industry standard, scientific methodology to evaluating the tool (if for no other reason than because I am constrained by time). First, I note that it appears that no one has been able to get FTK to work with PostgreSQL, leading me to conclude that the product was shipped without being tested in this regard. (If a reader has been able to get it working, I encourage you to post a comment here). I was not able to get it to work, and I wasted two valuable —otherwise billable— days I had set aside for a client, only to make this discovery...

Read more

• Posted by: jamie
• Topic: Links
• Score: 0 / 5
• (1310 reads)

• comments?
• Printer Friendly Page
• Send to a Friend

In the forensic lab where I work, we frequently investigate malware-infected workstations. As our user population started shifting from Internet Explorer to Firefox, we observed that one of our favorite forensic tools, Kristinn Gudjonsson’s log2timeline, wasn’t able to provide as much data for Firefox as it was for IE. The missing component was cache data; log2timeline was capable of parsing IE cache but not Firefox. In order to fix this deficit and contribute to log2timeline, I decided to write a log2timeline module for the Firefox cache. During the course of writing that module (ff_cache.pm – available in log2timeline 0.62), I researched how the Firefox cache works, wrote a tool to extract data from it (ff_cache_find), and learned traits of Firefox that have implications for forensic acquisition and analysis...

Read more

• Posted by: jamie
• Topic: Links
• Score: 0 / 5
• (951 reads)

• comments?
• Printer Friendly Page
• Send to a Friend

"As one of several in my office we've tried to give Encase 7 a fair shout. But after 6 months or more we have lost all faith in it as a usable product - reduced functionality from V6, ludicrous processing times and numerous bugs etc, etc.

Our view is that it was sold as an beta release and we are aggrieved at paying the SMS and outlay for the upgrade and yet between 8 of us we haven't yet been able to use it on a single case..."

Read more

• Posted by: jamie
• Topic: Links
• Score: 0 / 5
• (1266 reads)

• comments?
• Printer Friendly Page
• Send to a Friend

A simple app to decode the data held within Google Analytics Cookies.

The data can be identified by "__UTM" starting each section. The data holds: records, the number of visits to a website, the first, last and current visit dates; The search term used to get to the website that set the cookie; The search engine used; It also shows if the user has clicked on an Google Ads or on a link in the main body of the Search results. All independent of the normal Internet History and if found in unallocated/free space you again have times and dates of any searches performed.

http://www.mikesforensictools.co.uk/MFTCookie.html

• Posted by: mykulh
• Topic: Links
• Score: 0 / 5
• (1746 reads)

• comments?
• Printer Friendly Page
• Send to a Friend