Forensic Focus Blog

Guest blog post: TACTICAL trial by fire

noreply@blogger.com (admin) — Fri, 05 Mar 2010 15:02:00 +0000

by Hogfly from http://forensicir.blogspot.com/

Last week, I received a phone call to perform a sensitive acquisition for Law Enforcement. A tragedy really, but out of it arises a short story of success with modern forensics tools.

When I arrived on scene I was briefed and went to search for the requisite equipment to perform the acquisition. As it turned out, the entire stock of wiped drives was gone. A 500GB drive was located, but it needed to be wiped. Wiping a 500GB drive takes up to a few hours, so that was no good. I did have some clean space on an acquisition RAID device though. Given the sensitivities of the operation I had to do this quickly, efficiently, and right the first time. The margin for error was slim as there was information on the desktop that couldn't be lost.

I went for the Ace up the sleeve. I had up to this point only used it in testing, but I went for a tool I knew could trust. The tool was none other than F-response TACTICAL. Yeah that's right, I went for live imaging in a Law Enforcement case. There are still plenty of those doubters and naysayers out there, so let me be clear. The time to adapt has passed, the need to preserve evidence when lives are at stake is paramount. It's time you adopt modern techniques. There is no such thing as forensic purity, in any forensic discipline when you've got volatile evidence. That's a myth created by those that have never worked in the field.

Photos taken, and requisite documentation completed, I plugged the victim system in to a local switch I had for this purpose. I then proceeded to insert the subject dongle in to the subject computer. I quickly popped the examiner dongle in to my station attached to the acquisition RAID. Configuration, always quick, included physical memory. Then I simply clicked on "auto connect" on the examiner console. Just like that, the disk and memory objects I needed were exposed. Firing up FTK imager, I made the acquisitions I needed. The case proceeded as many do, with hurried phone calls and stress like no normal incident can create. The evidence was secured for examination and the subject laptop was turned over.

I'm an Incident Responder, and a Forensic Examiner. I need tools I can rely on, tools that work in the clutch, tools that don't break the bank, tools to use when life and limb are at stake. For me, that's F-response. A very big thanks to Matt Shannon and the folks at F-response. I'm not sure how the field got along without you and you've made technology available that makes a real difference.

Originally published at http://forensicir.blogspot.com/2010/02/tactical-trial-by-fire.html

Computer forensics education directory updated

noreply@blogger.com (admin) — Mon, 01 Mar 2010 17:22:00 +0000

Our University and College Course Directory has been updated with the following institutions:

American InterContinental University (US)
Arapahoe Community College (US)
Marshall University (US)
Lawrence Technological University (US)
Harper College (US)
California Sciences Institute (US)
Lenoir Community College (US)
Regis University (US)
Boston University (US)
University of Rhode Island (US)
Catawba Valley Community College (US)
Sheffield Hallam University (UK)
Macquarie University (Australia)
Dalarna University (Sweden)
Universiteit van Amsterdam (Netherlands)

Computer forensics education directory now online

noreply@blogger.com (admin) — Fri, 22 Jan 2010 14:01:00 +0000

A directory providing details of computer forensics courses offered by academic institutions worldwide is now online at

http://www.forensicfocus.com/computer-forensics-education-directory

This directory will be updated each year to reflect current course offerings but additions or amendments are encouraged at any time and may be sent through our contact form.

A second directory listing courses offered by commercial training providers is planned for later this year.

US academic institutions - final call for contact details!

noreply@blogger.com (admin) — Tue, 12 Jan 2010 16:26:00 +0000

Hi everyone,

I hope to have something to show for our efforts in putting together a directory of academic institutions offering computer forensics courses next week but I still need a little assistance with one or two places in the US.

If you have a contact person for any of the following (teaching, rather than general admissions) could you either pass on an email address to me or ask them to contact me on admin@forensicfocus.com:

Bucks County Community College
Carnegie Mellon
Cypress Community College (I think this is Chris Curran but I don't have an email address)
Delaware County Community College
Delaware County Technical School in Aston
University of Fairfax
George Mason University (Fairfax, VA Campus)
Luzerne County Community College
University of New Orleans (is it still Prof. Golden?)
University of Northwestern Ohio
University of Central Oklahoma
Pittsburgh Technical Institute
Rutgers University
Walsh College
West Virginia University (my mails to Roy Nutter are bouncing)
Wilmington University

Many thanks for any help!

Jamie

Hidden Hymn

noreply@blogger.com (admin) — Tue, 05 Jan 2010 19:04:00 +0000

From http://digitaldetective.wordpress.com/2009/12/17/hidden-hym/ (republished with permission)

There is something quintessentially British about the unique blend of gusto and gibberish which makes up a Gilbert and Sullivan operetta. What is less well known, perhaps, is that Arthur Sullivan also wrote the music to the world-famous hymn ‘Onward Christian Solidiers’.

It seems he also tried his hand at a lyric to the tune, which was later discarded. Now, though, the sole surviving copy of that lyric has emerged – yet another extraordinary treasure recently found amongst a cache of forgotten manuscripts.

We are delighted to reproduce the full lyric here.

Tune: St Gertrude by A. Sullivan

Hymn for the Unsung Heros

Onward First Responders, marching as to war,
With the ACPO Guidelines going on before.
Tableaus at the ready, armed against the foe,
Forward into battle see those White Hats* go!
(*LE singers may substitute “Blue lights” here. – AS.)

Refrain

Onward First Responders, marching as to war,
With the ACPO Guidelines going on before.

Dawn of retribution! Watch the suspects stare;
They and their Redeemer know what you’ll find there!
All their nasty surfing, docs and pix and more;
See, they fear the advent of the long arm of the Law.

Refrain

Image every hard drive, every USB,
Make a very detailed chain of custody,
There will be no tiny evidential fault
Bag and tag and walk the lot then slap it in the vault.

Refrain

Run it up in EnCase, data carve ‘til dawn
Bookmark hot and gmails, all the dodgy porn,
Short and sweet the statement witnessing the crime
Which gets them off the premises or even doing time.

Refrain

Like Olympic medalists going at full steam
Onward First Responders! Ply that data stream!
Vanquish all the villains, work with all your might
Show the unbelievers just how ev’ry bit can byte

Arthur Sullivan at his other keyboard

All together now…

Onward First Responders, marching as to war,
With the ACPO Guidelines going on before.

Adroit Photo Forensics review

noreply@blogger.com (admin) — Thu, 31 Dec 2009 11:35:00 +0000

A review of Adroit Photo Forensics is now online here with follow up discussion available here. Many thanks to Austin Troxell for the review.

Interview with Russell May, 4N6 Investigation

noreply@blogger.com (admin) — Thu, 10 Dec 2009 13:06:00 +0000

An interview with Russell May of 4N6 Investigation is now online at http://www.forensicfocus.com/russell-may-interview-101209. Russell is a well known figure in the computer forensics world with a reputation for providing some of the best training courses available. Enjoy the interview!

Forensic Computing PhD, UK

noreply@blogger.com (admin) — Fri, 04 Dec 2009 10:30:00 +0000

There is a PhD position available at the Centre for Forensic Computing, Cranfield University, UK. The broad area for the research is the investigation of the digital evidence left on hard disks by users who have communicated via the Internet.

The start date is February 2010.

To apply please see:

http://www.jobs.ac.uk/job/AAI779/phd-studentship/

The Value of Push Button Computer Forensics

noreply@blogger.com (admin) — Thu, 19 Nov 2009 09:16:00 +0000

Good discussion on "push button computer forensics" at http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4906

Original blog post at http://integriography.wordpress.com/2009/11/17/the-value-of-push-button-forensics/

Some further comment at http://www.darkreading.com/blog/archives/2009/11/pushbutton_fore.html

Academic institutions - updated

noreply@blogger.com (admin) — Fri, 13 Nov 2009 00:09:00 +0000

I've updated the first post of this thread with everything we have so far (in something like alphabetical order). Thanks again to everyone who's contributed and please continue sending in details of anywhere not already listed.

Thanks,

Jamie

Computer Forensics in the Geek Press – A Taxonomy

noreply@blogger.com (admin) — Wed, 11 Nov 2009 10:53:00 +0000

"So COFEE has finally been leaked onto the Internet. It was inevitable and it’s a wonder that it wasn’t released sooner, but nevertheless it marks a sad day for the Law Enforcement computer forensics community...So why the long face, as the horse said to the Easter Island monolith? It’s the lolz. It’s all about the lolz, and a decrease thereof. Every so often COFEE is mentioned on a geek-news site like The Register or Slashdot, and whenever this happens, the comments come alive with a thousand angry, confused, wounded monkeys, all in an uproar about the existence of this pernicious tool..."

More (Happy as a Monkey)

Academic institutions - who are we missing?

noreply@blogger.com (admin) — Fri, 06 Nov 2009 13:08:00 +0000

Hi everyone,

As many of you know I've recently made a start on building the new education section at Forensic Focus (hopefully bringing it online later this month) with the aim of listing every computer forensics university and college course worldwide.

I'd like to ask for your help in making sure I don't miss out any relevant institutions. The following is a list of the places currently on my master list - if you know of any place not listed below (and I'm sure there are many of them) I'd be grateful if you could either post a reply to this thread or email me with the details on admin @ forensicfocus.com. If you're able to provide a contact email address for a member of the teaching staff that would be great too (obviously if you yourself are a member of staff please don't hesitate to get in touch!)

OK, here's what I have so far:

UK

University of Bedfordshire
Birmingham City University (contact person details required)
University of Bradford
Coventry University
Cranfield University
De Montfort University (contact person details required)
University of Derby
University of East London (contact person details required)
Edinburgh Napier University
University of Glamorgan
University of Greenwich (contact person details required)
University of Huddersfield
Kingston University (contact person details required)
University of Central Lancashire
Leeds Metropolitan University
Lincolns College London (contact person details required)
Liverpool John Moores University (contact person details required)
London Metropolitan University
Middlesex University
Northumbria University
The Open University
University of Portsmouth
Royal Holloway, University of London
Staffordshire University
University of Strathclyde
University of Sunderland
Teesside University (contact person details required)
University of the West of England
University of Westminster

Ireland

University College Dublin
Dublin City University
Waterford Institute of Technology

US & Canada

Anne Arundel Community College
BCIT Centre for Forensics and Security Technology Studies
Bloomsburg University of Pennsylvania
Butler County Community College
California State University, Fullerton
Champlain College
DeVry University (contact person details required)
Edmonds Community College
University of Central Florida (contact person details required)
The George Washington University
Highline Community College (contact person details required)
Johns Hopkins University
John Jay College of Criminal Justice
Kaplan University - Hagerstown Campus (contact person details required)
Kennesaw State University
College of Lake County
Missouri Southern State University
Central Piedmont Community College
Pittsburgh Technical Institute
Purdue University Cyber Forensics Lab
University of Rhode Island (USA)
Rich Mountain Community College
Sam Houston State University
Stark State College of Technology
Stevenson University (contact person details required)
University of Texas at San Antonio
Tompkins Cortland Community College (contact person details required)
Walsh College
Washtenaw Community College (contact person details required)
Wilmington University (contact person details required)

Other

University of Cape Town (UCT)
University of Madras
University of Milan
Asian School of Cyber Laws (contact person details required)

If you can help by adding to this list or providing contact details I'd be very grateful - many thanks in advance!

Kind regards,

Jamie

Academic contacts - can you help?

noreply@blogger.com (admin) — Thu, 05 Nov 2009 15:20:00 +0000

I'm in the middle of compiling the new education section for the site and am trying to contact as many academic institutions as possible. However, I'm having some difficulty contacting staff members at the following universities and colleges:

UK

Birmingham City University
De Montfort University
University of Greenwich
University of East London
Leeds Metropolitan University
Lincolns College London
Royal Holloway, University of London
Kingston University
Liverpool John Moores University
Teesside University

Ireland

Waterford Institute of Technology
Dublin City University

US

University of Central Florida
DeVry University
Highline Community College
Kaplan University - Hagerstown Campus
Stevenson University
Tompkins Cortland Community College
Walsh College
Washtenaw Community College
Wilmington University

Italy

University of Milan

India

University of Madras

If you have an email address for a member of the computer forensics teaching staff - preferably the course leader - at any of the above I'd be grateful if you could mail me with it (if you're comfortable doing so) or alternatively ask the staff member to contact me directly on admin @ forensicfocus.com if you think they might want their institution to appear in the new section (there's no fee for inclusion, I just want to make sure the details are accurate.)

Many thanks in advance!

Jamie

Certifications are Evil

noreply@blogger.com (admin) — Wed, 14 Oct 2009 11:51:00 +0000

Thought-provoking post from John McCash over at Mark McKinnon's blog:

"Folks, this is an opinion piece, and it's going to be a controversial one. Some of you started composing a scathing rebuttal to it as soon as you read the title. Normally I restrict myself to what I hope are useful technical tidbits, but like most of you out there, I'm a forensic practitioner, and I have little patience for time sinks which provide no benefit (no I'm not including the training in that category, save your flames for the end). I've always begrudged the time commitment (over and above what's required to actually take the training and learn the included material) required to attain certifications, despite which I'm in possession of five, soon to be six, not counting my master's degree, so I like to think I speak from some degree of experience..."

Read more, and the ensuing discussion, here.

Shrinking the gap: carving NTFS-compressed files

noreply@blogger.com (admin) — Tue, 13 Oct 2009 07:20:00 +0000

A new paper from Joachim Metz of Hoffmann Investigations titled "Shrinking the gap: carving NTFS-compressed files" is now available here. Readers may be interested to note that carving NTFS-compressed data will also be part of the advanced carving topic of the Hoffmann Forensic Sessions in November.

My thanks to Joachim for another excellent paper!

Interview with Jim Gordon, West Mercia Police

noreply@blogger.com (admin) — Thu, 24 Sep 2009 13:25:00 +0000

Forensic Focus: Jim, can you tell us something about your background?

Jim Gordon: I left school in Dundee, Scotland when I was 17 years old and joined the Royal Air Force Police. I served in the RAF Police for just over 15 years, the majority of which was spent in the Special Investigation Service. Like most service personnel I served all over the place including three years in Cyprus, also visiting Belize in Central America, the Falkland Islands and finishing off with three years at the Joint Headquarters at Rheindahlen near Monchengladbach in Germany.

On leaving the RAF I joined Merseyside Police where I served in Liverpool city centre. I ended up on a Pro Active vehicle crime unit. After three great years I transferred to West Mercia Police where I was initially stationed at Kidderminster to the South West of Birmingham.

West Mercia is the fourth largest geographic police area in England and Wales. It covers the Welsh border counties of Herefordshire, Worcestershire and Shropshire. While West Mercia is predominantly rural, it also contains some densely populated urban areas and many market towns. As you can imagine it was quite a culture shock compared to Liverpool City centre.

After a short period in uniform I spent a number of years on the Pro Active CID, mainly employed in drug investigations at a local level, before successfully applying to become a Detective in the Criminal Investigation Department. In 2001 I successfully applied to join the Hi Tech Crime Unit. As they say the rest is history.

Forensic Focus: Why did you decide to work in the field of computer crime investigation?

Jim Gordon: I was always interested in computers from my days of being the proud owner of a ZX Spectrum and later when I seriously upgraded to an Olivetti 486. Whilst in the CID at Kidderminster I successfully completed a project management course and later during 2000 had the opportunity of going on an attachment to help the Force introduce the National Intelligence Model. Whilst part of the project team I first came into contact with the Hi Tech Crime Unit that at that time consisted of one member of staff. During 2001 the Hi Tech Crime Unit expanded and I successfully applied for one of the roles within the unit. As you can see from my background I’ve always worked in an investigatory role which is something that I enjoy and so computer forensics allows me to continue this, learn new things everyday and support the investigation teams...

Forensic Focus Graduate Recruitment

noreply@blogger.com (admin) — Wed, 23 Sep 2009 14:51:00 +0000

I'm delighted to announce the introduction of the Forensic Focus Graduate Recruitment program. Headed by respected computer forensics recruitment specialist David Sullivan and supported by technical experts in the fields of both computer and mobile forensics, this program aims to match graduates with suitable employers throughout the US, Canada and the UK.

Further details can be found at http://www.forensicfocus.com/graduates. Enquiries and resumes/CVs may be sent to graduates@forensicfocus.com

Helix 3 Enterprise review

noreply@blogger.com (admin) — Wed, 23 Sep 2009 10:05:00 +0000

A review of Helix 3 Enterprise written by Jonathan Krause of Forensic Control can be read here with discussion here.

"Helix 3 Enterprise (H3E) is e-fense’s flagship investigation suite pitched at a similar level as EnCase Enterprise or Access Data Enterprise. It’s aimed at organisations which need to be able to carry out incident response, forensics and e-discovery functions over networks. H3E facilitates centralised incident response, imaging of drives and volatile data and also enables scans and searches of a user’s internet history and documents on any computer which has had the H3E Agent pre-installed on it..."

Read more...

Forensic PC anti-contamination procedures

noreply@blogger.com (admin) — Mon, 24 Aug 2009 09:08:00 +0000

For those who don't follow the forums, there's an interesting discussion ongoing here about hard disk sterilization (if, indeed, that's the term of choice). I'd like to encourage further comments and viewpoints on this topic so please don't hesitate to have your say!

Mobile Telephone Case Law forum

noreply@blogger.com (admin) — Wed, 19 Aug 2009 11:19:00 +0000

New Mobile Telephone Case Law sub-forum here in response to this recent post.

Interview with Sean McLinden, Outcome Technology Associates, Inc.

noreply@blogger.com (admin) — Thu, 30 Jul 2009 14:49:00 +0000

[Sean is a Forensic Focus forum regular and posts under the username "seanmcl"]

Forensic Focus: Sean, can you tell us something about your background?

Sean McLinden: My first exposure to computers was as an undergraduate when I saw an episode of the PBS series Nova about artificial intelligence (AI). Since I was headed to the University of Pittsburgh to begin a graduate study in Medicine I hooked up with the team of Jack D. Myers, MD, and Harry E. Pople, PhD., who were researching the development of programs which could mimic the actions of human diagnosticians. Their laboratory was kind of a skunkworks which not only explored artificial intelligence, but also computer networking, hardware design and operating systems. Everyone who worked there was expected to be well versed in computer design and applications and innovative and there were a lot of opportunities for creativity and independent action. That model became my model for building collaborative teams in which people are encouraged to think independently, question conventional wisdom and be self-motivating.

Following completion of medical training I was recruited to become the head of MIS for what would become a university affiliated teaching hospital. Whereas in the research lab, sharing was the norm, in a patient care setting, the security of the information is paramount. This experience also taught me how production IT operations work, including the human element, an understanding of which is critical to cost-effective enterprise forensics.

From there, I chaired a university graduate program in IT management and then directed a clinical outcomes research group before starting Outcome Technology Associates in 1998.

Forensic Focus: What type of work is Outcome Technology Associates, Inc. engaged in? What does your role as president involve?

Sean McLinden: Outcome Technology Associates began as an organization that developed software and refined practices for the health care industry. Specifically, we did data analysis for patient clinical trials and helped to design systems for the sharing of patient information via data networks. Because our work involved a high degree of confidentiality, we were retained by law firms which had the need not only for data capture and analysis, but also the ability to be discrete. At that time, computer forensics was unheard of and so, "experts" were drawn from the academic and business units where IT practices were the area of specialization.

Our first cases involved simple data recovery, preservation and analysis for use in civil and criminal legal proceedings. The paper record was still the standard for courtroom evidence and most computer forensics involved the detection of traces of the paper record on computers. In 1995, we were consulted by attorneys for the plaintiff on a very large case involving tens of thousands of electronic documents, including e-mail, which was thought to contain evidence of an intentional breach of contract by the defendant. The outcome of the case was a $30 million judgment in favor of our client, and that was the start of our full-time business.

Today we are involved in any and all types of civil and criminal investigations in which the preparation, storage or transmission of information in electronic format is involved. I can say, in all honesty, that each of our cases has had one or more features which is/are unique among all of our clients, so it would be hard to pin us down as specializing in one form of computer forensics...

Read more at http://www.forensicfocus.com/sean-mclinden-interview-210709

Write Blocker Review

noreply@blogger.com (admin) — Thu, 23 Jul 2009 15:39:00 +0000

by David Kovar of NetCerto, Inc. (www.netcerto.com)

Digital evidence needs to come from somewhere, right? It doesn’t appear, “forensically sound”, from out of the blue. And the phrase “forensically sound” is key – the evidence needs to be acquired in a manner that ensures that the process doesn’t modify the evidence in any manner. There are exceptions to this – cell phones and live acquisitions come to mind – but even then, the process should be minimally invasive.

The key to this acquisition process is the ubiquitous write blocker, probably the most important tool in any acquisition kit. A write blocker was my first forensics hardware purchase and I keep my collection of write blockers up to date religiously.

The differences between write blockers used to be fairly significant in terms of quality, speed, features, and price. In the last year or two the number of options has expanded somewhat, the major vendors all have similar features, and the prices have come down. The major difference appears to be in the layout, form factor, and physical design of the units...

Read more: http://www.forensicfocus.com/write-blocker-review-230709

Loser wins major competition!

noreply@blogger.com (admin) — Mon, 20 Jul 2009 12:16:00 +0000

In a surprising turn of events late yesterday afternoon a rank outsider and frequent loser fought off the challenge of more mature competition to win a major international trophy.

But enough of the Open golf championship. In other news, the Forensic 4cast awards also contained a few surprises :-)

Joking aside, thanks to the guys over there for putting together this fun event. Thanks too for all who voted for a certain website owner (I didn't think the money would reach your accounts in time).

I hope Forensic Focus continues to be a useful resource and I'm looking forward to introducing some exciting new features later this year...stay tuned!

Hard disk data storage

noreply@blogger.com (admin) — Thu, 16 Jul 2009 07:52:00 +0000

From the forums...

ForensicMania asks: "Here is a quick question. I cloned hard disk using bit-by-bit copy and kept this hard disk without power in evidence store. I was wondering is there any limitation on data storage life-time on that hard disk if kept without providing power to it. e.g., will the data be there after five years?"

Logg replies: "You'll want to store your hard drives each in sealed, anti-static bags in a climate-controlled (arid) room. The baggies run under a dollar a piece at Fry's (or free if you keep them when you purchase hardware for yourself).

Power is your hard drive's enemy, so as long as you maintain low humidity, mild/moderate temperatures, and a generally dust-free environment, you'll be fine.

A flimsy cd that's damaged simply by prolonged exposure to sunlight can otherwise last to 100 years in storage (or so they say). An immobilized hard drive (and a backup drive if costs permit!) will last you the necessary 5 years years ... with a few decades to spare..."

More: http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3943

Top 100 Computer Forensics Twitterers to Follow

noreply@blogger.com (admin) — Mon, 13 Jul 2009 14:42:00 +0000

I'd like to put together a list of the "top 100" computer forensics tweeters out there - click here to add your suggestions!