Forensic Focus Blog

'Web 2.0' as evidence

noreply@blogger.com (admin) — Fri, 20 Aug 2010 10:57:00 +0000

by Sean McLinden

In a recent intellectual property case for which we were retained, among the electronically stored information (ESI) that the plaintiff sought for production were internal company blogs and wikis used by the defendant’s developers to discuss new product ideas, as well as the design and coding of the alleged offending application. Included in the discovery were sites created using Microsoft® SharePoint® and MediaWiki software (and others). The discovery order was crafted with the typical “readily accessible” and “native format” language that seems totally irrelevant to sites which maintain dynamic content.

Due to the nature of the business, none of the sites for which production was requested was required to be managed in accordance with standards for business compliance such as Sarbanes-Oxley or the European Union Data Protection Directive. All were informal sites created by the development team to support collaboration with other team members. It is arguable whether there was any affirmative “duty to preserve” since it appeared that the developers were totally unaware of any intellectual property concerns related to their work.

Thus, the issues that arose during production were two-fold: What constituted “readily accessible” in sites in which the content is frequently changing and for which point-in-time recovery (PiTR) solutions do not exist? The producing party’s view was that snapshots of the current site with resolution and recursion on internal links to one level of depth was sufficient, but how to produce those snapshots in a form which was reasonably complete but did not constitute a hardship for the producing party? Initial attempts using various web crawlers were abandoned after the output far exceeded the volume of space actually occupied by the site itself! And given that the site content is, at least in part, database driven, what is the impact of continued site use, after the alleged point of infringement, on the database contents?

As for “native format”, how does one handle those sites which convert uploaded content from one form to another using processes which are undocumented and proprietary? Even if the conversion process is well documented, what assurances exist that metadata will be preserved? Many Content Management Systems support import/export programs which convert documents from their native format to a format more easily viewed from the Web (e.g. PDF or HTML). In many cases, valuable metadata is removed by the conversion process...

Read more at http://www.forensicfocus.com/sean-mclinden or discuss here.

Scalability: A Big Headache

noreply@blogger.com (admin) — Wed, 18 Aug 2010 14:02:00 +0000

by Dominik Weber

About the Author

Dominik Weber is a Senior Software Architect for Guidance Software, Inc.

In this month's installment, I will take a break from a specific problem and talk about a fundamental issue with deep forensics: Scalability.

Scalability is simply the ability of our forensic tools and processes to perform on larger data sets. We have all witnessed the power of Moore's law. Hard drives are getting bigger and bigger. A 2 TB SATA hard drive is to be had for much under $100. With massive storage space being the norm, operating systems, and software is leveraging this more and more. For instance, my installation of Windows 7 with Office is ~50GB. Browsers cache more data and many temporary files are being created. After Windows Vista introduced the TxF layer for NTFS, transactional file systems are now the norm, and the operating system keeps restore points, Volume Shadow Copies and previous versions. Furthermore, a lot of the old, deleted file data will not get overwritten anymore.

This "wastefulness" is a boon to forensic investigators. Many more operating and file system artifacts are being created. Data is being spread out in L1, L2, L3 caches, RAM, Flash storage, SSDs and hard drive caches. For instance the thumbnail cache now stores data from many volumes and Windows search happily indexes a lot of user data, creating artifacts and allowing analysis of its data files.

That was the good news. The bad news is that most of this data is in more complex, new and evolving formats, requiring more developer efforts to stay current. For instance I am not aware of any forensic tool that analyzes Windows Search databases - not that I had time to look (if you know of such a tool, post in the forum topic, please - see below). Worse than that is the need to thoroughly analyze the data. Traditionally, the first step is to acquire the data to an evidence file (or a set thereof). The data must be read, hashed, compressed and possibly encrypted. All this does take time, despite new multi-threaded and pipelined acquisition engines appearing (for instance in EnCase V6.16). High speed hardware solutions are also more prevalent. Luckily, this step is linear in time, meaning that a acquiring a full 2TB hard drive will take twice as long as a full 1TB drive. Note that unwritten areas of hard drives are usually filled with the same byte pattern (generally 00 or FF) and these areas will compress highly, yielding faster acquisition rates.

Read more at http://www.forensicfocus.com/dominik-weber or discuss here.

Single Sign On

noreply@blogger.com (admin) — Wed, 18 Aug 2010 14:01:00 +0000

by Simon Biles

About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

Calling something a “Holy Grail” is an interesting term – the intended meaning is well known to most of us – i.e. something miraculous that will solve all of your problems. However given that it’s supposedly a cup, bowl or dish hardly links it sensibly to password management – none the less, Single-Sign-On ( henceforth in this article as SSO to save me from RSI ) is supposedly the “Holy Grail” of Authentication.

SSO is the answer to the dilemma that we were left with at the end of the last article – we want complex passwords, difficult to break ones, that change often, on all the systems that a user has access to … A rather entertaining (if a little dated now) paper from Microsoft tells us that each user has 25 accounts that require passwords, and types, on average, 8 passwords a day – and this is a paper about web-browsing habits, not including primary logons to machines or other work legacy systems. What is more interesting is that each user, on average, has 4.5 passwords each used on 3.9 websites (I love averages – how else can you have ½ a password and .9 of a website !). Looking through some other literature suggests that some people manage way, way more than this – with this particular user dealing with 97 separate and distinct password protected systems.

This was recognized as an issue a long time ago, well before we needed to remember our E-bay, Amazon and Twitter passwords. Project Athena at the Massachusetts Institute of Technology (MIT) started in 1983 and developed the Kerberos SSO protocol. Kerberos, named after the three headed dog of Greek mythology (Harry Potter fans please note – it was called Kerberos before “Fluffy” ), operates on the principal of an authentication server that you authenticate to once with your password, and, assuming you get that right, it grants you a “ticket” that you can take to any other service that identifies you and confirms your authentication. The good news is that all of this happens behind the scenes and all you have to do is remember one password. To be fair, it’s a little bit more complicated than that with some quite fun encryption ideas with regard to authentication of source and time stamps to prevent replay attacks. However, it is, in my opinion at least, the daddy of all SSO – so much so that Microsoft Active Directory authentication is, at least almost, Kerberos. (If you want to know a bit more, you can read this, but I can’t claim that you’ll be awake at the end of it. It can be quite enlightening, if you like that sort of thing (and I do), to watch a WireShark trace of a Kerberos exchange, WireShark has quite a good built in understanding of the protocol and you can see various tickets moving around the system – you can also have a go at recording and replaying them to see if the time stamps really do work … Kerberos also has an interesting sideline in identifying machines to other machines, effectively allowing SSO between clients and servers as well as wetware users...

Read more at http://www.forensicfocus.com/simon-biles or discuss here.

Authentication and Authorisation

noreply@blogger.com (admin) — Tue, 10 Aug 2010 09:33:00 +0000

by Simon Biles

About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

Authentication and Authorisation (please notice the “s” is _not_ a spelling error!) are fundamental to information security – identifying who a user is (authentication), and what they are allowed (authorised) to do allow us to restrict access to data in such a way that only the rightful permitted people can access, modify or copy it. It seems in the current day and age, we have a habit of lumping the two together with the term “Identity and Access Management” – but personally, I think that it is wise to remember that they are separate and distinct processes, handled at different times and by different parts of the computer that you are using.

Let’s start off with Authentication – the “prove who you are” part. Authentication can be performed in certain ways – typically these are described as: something you know, something that you have or something that you are – each one of these is called a “factor” and, logically, combine two or more of them and you have “multi-factor” authentication. The password is an example of the first of these “factor” types, although there are other things, such as the questions you answer for your password reset (the name of your first pet goldfish, your favourite teacher at school, how many warts you have between your toes, that kind of thing). The things that you have are things like smartcards or dongles, whereas the things that you are include all of the biometric measurements – fingerprints, voice recognition and the like. Each of them has their inherent issues – people forget things, lose things, and, rather frighteningly, people can have bits of them taken – numerous examples abound in film – “Angels and Daemons” springs to mind as the most recent, but I recall “Thunderball” also makes use of the concept.

However, by far the most common, cheapest and familiar form of authentication is the password. Passwords are something that are now ubiquitous – if you have a computer & an internet connection, you have a password. Most operating systems implement them in some form now by default, usually for elevation of privileges to an administrative account - those of us that have been using UNIX or its derivatives for the last few decades (or indeed some earlier multi-user operating systems) can all have a good laugh now and congratulate Microsoft and Apple for having caught up. They’ve been around a lot longer than that though, I did a little research and I could certainly find written references as to the use of passwords as far back as the Roman legions, and I’ve every confidence that they were in use well before that in some form or another. The Roman implementation of passwords was exemplary though, and, quite frankly, something that many modern password implementations could learn from – controlled distribution, frequent changes and traceability of distribution. If you are interested there is more to be found here (wordinfo.info).

The commonality of passwords has created a unique problem (and opportunity from a Forensic viewpoint) that people have terrible memories for things, especially where there is little in the way of context to give them a clue, so they tend to use the same password multiple times. Where, as professionals, we have the capability to enforce certain technical restrictions on the user (password length and complexity requirements, change durations, non-repeatability etc.) we quickly find that the user subverts the process one way or another – the most ubiquitous being the dreaded post-it note! I’d like to draw your attention to the “professional” intelligence agents operating until recently in the US, a 27 character password, having been committed to memory could have been a significant issue for the Forensic Officers, however, having it written down alongside the computer … well, need I say more ?

Read more at http://www.forensicfocus.com/simon-biles

UK student competition: Win free training on "Investigating Connection Records" course

noreply@blogger.com (admin) — Fri, 06 Aug 2010 13:03:00 +0000

UK students - Win a free* place on the "Investigating Connection Records and Introduction to Cell Site Analysis" Training Course in Birmingham (UK), 23rd – 24th August 2010 provided by Sam Raincock Consultancy.

To enter you MUST be a current UK student studying for a BSc, MSc or PhD in a computer science, information security, engineering or computer forensics discipline. You must not be in full or part time employment in a professional role or have obtained a job offer in such a role.

Competition Details

As a telecommunications and computing forensic specialist, one of the biggest challenges is to learn how to write simply and succinctly so your reports/articles can be understood by all.

With this in mind, to enter you need to prepare an article, no more than 1,000 words, discussing one of the following topic areas:

- Mobile telephone examination methodology.
- Testing forensic tools.
- Encrypting confidential data.
- Investigating Internet activity on a computer.
- Social engineering and information security.

You may provide a summary of the topic area or select a sub-topic on which to concentrate your article. The article should be in a language and style suitable for a non-technical layperson. Your chosen topic should not discuss software products and should be entirely your own work. Articles containing information copied from other sources and not appropriately cited will be instantly disqualified.

The article will be assessed by Samantha Raincock for technical accuracy, readability, structure and the general chosen topic area. One overall winner will be selected and the author will receive the training prize as well as their article being published on Sam Raincock Consultancy’s website. All decisions are final.

Closing date for submission is by 12:00 (noon) BST on 16th August 2010. The article should be emailed to sam@raincock.co.uk in Word format.

* One free training place is available. Recent graduates (2010) without a job offer may apply. The prize will include two days of training and all training materials. It does not include accommodation, subsistence or travel costs. The prize is non-transferable and is only valid for the investigating connection records training course on 23rd – 24th August 2010 in Birmingham. There is no alternative prize. You will need to provide proof of your student status and your identity. In the unlikely event the training course is cancelled the prize will become null and void and SRC will not be responsible for any costs incurred.

10% Discount on Connection Records/Intro to CSA Training (UK)

noreply@blogger.com (admin) — Thu, 22 Jul 2010 13:02:00 +0000

A reminder that there is a 10% discount available until 24th July for the two day Connection Records/Intro to Cell Site Analysis course in the UK run by Sam Raincock.

Further details available here.

Mobile Forensics Training: Investigating Connection Records (UK, Aug 23/24)

noreply@blogger.com (admin) — Wed, 30 Jun 2010 10:24:00 +0000

This month sees the launch of the Forensic Focus Preferred Training program which aims to highlight the very best digital forensics training available.

The first course offered is "Mobile Forensics: Investigating Connection Records" delivered in the UK by Sam Raincock of SRC. This is a 2 day course providing in-depth analysis of connection records and a comprehensive overview of cell site analysis techniques. A 10% discount is available for a limited period.

Further details at http://www.forensicfocus.com/src-training

Windows Search forensics

noreply@blogger.com (admin) — Wed, 30 Jun 2010 10:04:00 +0000

by Joachim Metz

While some may curse Windows Vista for all its changes, for us forensic investigators it also introduced new interesting 'features'. One is the integration of Windows (Desktop) Search into the operating system. Most corporations have been reluctant to adopt Vista, however more and more Windows XP systems are being replaced by Windows 7 equivalents. Windows 7 also contains Windows Search and enables it by default. It actually can be challenging to disable it so one can conclude that Windows Search is becoming a relevant source of information in forensic analysis of Windows systems.

What is not widely known is that Windows Search uses the Extensible Storage Engine (ESE) to store its data. This is the same engine that Microsoft Exchange uses. Because ESE uses a propriety database format, little information about it is available in the public domain. As a consequence, it is unclear how well different forensic tools support the ESE database format.

Several years after the introduction of Windows Vista and Windows Search, currently only a handful of forensic analysis tools seem to provide support for the Windows Search database even though a Windows Search database can be a valuable source of evidence. This paper provides an overview of the ESE database format and the Windows Search database and what it might contribute in your investigations...

Computer Forensics - sometimes it’s all about timing

noreply@blogger.com (admin) — Tue, 29 Jun 2010 14:00:00 +0000

by Sam Raincock

When a crime happens, the time of the events may be critical to the legal case. However, how are these times established? Is it the time alleged by the witness? When the CCTV system captured the image? When the computer said the person left their home? When the satellite navigation system recorded they arrived? When the mobile was cell sited in the area? Or is it all of the above?

There is an abundance of studies addressing the accuracy of witness evidence. However, what about the accuracy of times provided by witnesses?

- I know it was 13:05 because I looked at my watch

- I walked past the newsagents and it was open so it must have been after 13:30

- I had just had my lunch, watched the news and left at 13:40

Without looking at your watch/clock (or computer), what time is it? What time does your watch/clock say? What time is it really?

Just like humans, digital devices may tell the incorrect time. In fact, they often do. Hence, when analysing events, it is crucial to compare like with like, otherwise the chronology may become scrambled and the evidence contradictory. In this article, I will discuss the issue of accurate digital device time and some basic techniques to assist in questioning and approximating the correct timings...

Forensic Focus 2010 survey

noreply@blogger.com (admin) — Fri, 25 Jun 2010 09:59:00 +0000

The Forensic Focus 2010 survey is now online at

http://feedbackfarm.com/surveyengine/s.php?i=477

The survey should take no more than 2 or 3 minutes to complete and does not require any personal or contact information.

This year the survey has been expanded to include more detailed questions on employment issues with the aim of identifying trends across the industry which can be reported back to the Forensic Focus readership.

Thank you very much in advance for completing this short survey, your responses will have a direct influence on the future of Forensic Focus and I hope provide useful information to everyone working in this field.

Unusual devices

noreply@blogger.com (admin) — Tue, 22 Jun 2010 12:43:00 +0000

by Sean McLinden

In 2007, New Jersey Governor Jon Corzine made the news twice for a single event. The first time was the report of a car accident on the Garden State Parkway in which he was seriously injured. The second time was a report, which appeared a few days later, detailing how the governor's account of the accident had been contradicted by a witness, his automobile. Since 2000, most US cars have been equipped with a :black box” known as the Motor Vehicle Event Data Recorder. Standards for a common data set, including protections against data theft, altering of vehicle information, odometer fraud and misuse of collected data on owners and drivers are the subject of the IEEE 1616a Standards for Motor Vehicle Event Data Recorders (MVEDRs). In spite of such protections, a number of states have enacted privacy protections which regulate the recovery and use of such data.

A 2007 Computerworld article was entitled Photocopiers: The newest ID theft threat. In 2010, CBS News was able to recover Personal Health Information, and other personally identifiable information (PII) from the hard disk drives of copiers found in a warehouse in New Jersey. These copiers had been leased by various health care, law enforcement, financial and other institutions.

The focus of these stories was the risk to personal privacy, but to forensic examiners and eDiscovery personnel, there is a more significant issue which is, When does the data contained in such devices constitute evidence deserving of preservation and a possible subject of discovery? More importantly, perhaps, is determining when a thorough investigation demands the investigation of information contained in a peripheral not, normally, the subject of a forensic examination?

A couple of recent cases presented to our offices illustrate when and how such concerns arise.

Case 1: A branch office of a financial services company becomes concerned that confidential information is in the possession of unauthorized employees and outsiders. This arises after a client notices a securities trade that was undertaken on their behalf but without their knowledge or consent. Internal IT personnel examined each of the office computers and found no evidence of malware, keyloggers or possession of PII except by authorized personnel. An outside digital forensics (DF) firm was brought in to investigate and found no evidence of an intrusion or extrusion. A former IT administrator was the principle suspect but he had been gone for over 6 months and his account disabled. A second DF firm was brought in to confirm the findings of the original firm.

The second firm noticed, as did the first, that the small office used a Linksys wireless access point (WAP) in lieu of a wired network. Interviews with, then, current IT personnel and attempts to “sniff” the wireless network confirmed that WPA2-PSK was used and that the key was strong. The SSID was not advertised. Using the Web administrative console, the second DF firm determined that the firmware was not the Linksys default, but a modified kernel based upon Sveasoft Talisman. Further examination showed that it had been configured for port mirroring, something which was, also, not the default. The former IT administrator had set up a rogue access point which, effectively, doubled as the secure access point for the business...

Flash drives and acquisition

noreply@blogger.com (admin) — Thu, 17 Jun 2010 10:23:00 +0000

by Dominik Weber

About the Author

Dominik Weber is a Senior Software Architect for Guidance Software, Inc.

“Take a look at this”. It started simply with that.

A co-worker was looking into some strange issue with an acquisition of a flash drive. It seemed that the acquisition hash changed every time the drive was acquired. The write switch was off. Even a software or hardware write blocker did not prevent this odd effect.

My co-worker did isolate some sector differences between the individual acquisitions. She found out that it was a series of sectors located in “Unallocated Clusters”

While looking at the real sector data it changed every time the sector refreshed. It was a series of hex patterns like “44 00”; sometimes they would change to “40 00”, “18 00” or “00 00”

Then we used a disk editor to read the same sector and the same behavior persisted. Same results with other tools. On different computers.

The Hardware

I then paused and thought about the way most flash drives are created. A controller chip sits on the USB bus and communicates with the host machine and the actual flash storage chip. The flash storage chip is usually a flat, thin rectangular chip with a series of pins on both sides. Some flash drives have more than one such flash chip.

The controller is responsible for performing the actual sector writes/reads. Should the write switch be set to “read only” mode at device insertion time, the controller would tell the host that this drive is read-only and ignore / fail out write requests. The host on the other hand then would use this bit of information in the file system driver and mount the drive in read-only mode.

For instance the $Log file on improperly dismounted (“dirty”) NTFS drives would not be processed in order to roll back partial transactions.

Furthermore, the controller usually drives a LED to show disk activity and that the device actually is plugged in...

Publication: an ethical dilemma for digital forensics research?

noreply@blogger.com (admin) — Thu, 17 Jun 2010 10:21:00 +0000

by Chris Hargreaves

About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

Ethical issues in science are commonplace; examples such as cloning, climate change and genetic engineering are all subject to different ethical debates. Some subjects have clearly defined areas of potential ethical problems, for example in Psychology much consideration is given to the welfare of human participants involved in any experiments conducted. This would involve the consideration of concerns such as participants’ confidentiality, privacy, consent, right to withdraw etc. However, the welfare of human participants in experiments is not the only form of ethical debate and in some research areas there are other particular issues, such as animal rights, or indeed whether a particular technology should be researched at all. This article is not an attempt to identify all the potential ethical issues that digital forensics research could be subject to, but instead highlights a particular issue -- the potential impact of making the results of some digital forensics research publicly available.

To take a simple (and fictitious) example, in the case of research into ‘evidence removal’ tools, if research into a product revealed that while the software removed evidence from several locations on the disk, there were also several other locations where evidence was not erased and could therefore be recovered. From a forensic point of view these are very interesting findings and it would be beneficial to share these results so that when the use of this particular product is encountered in an investigation, evidence could be more easily recovered. However, the publication of these results also has adverse consequences. Firstly, users of that software who run it in an attempt to hide evidence of unlawful activity may then decide to switch to a more effective product that does erase the data areas in question. Secondly, the developer of the software may decide to take the published research and use it to develop updates that fix the problem so that the software now erases the locations in question. In both of these cases, the publication of the results could mean that in future, an analyst may be deprived of useful evidence...

Interview with Sam Raincock, Sam Raincock Consultancy

noreply@blogger.com (admin) — Thu, 03 Jun 2010 09:48:00 +0000

Forensic Focus: Sam, can you tell us something about your background and how you became involved in computer forensics?

Sam Raincock

Sam Raincock: Prior to university, I’d never considered computing as a potential career; in fact, I hadn’t really used computers apart from playing games. I decided I wanted to be a physicist and solve the world’s particle physics problems. After embarking on a physics degree, I became more interested in computers (even though they were running 3.1 and Solaris!) I made the radical decision to change my degree course to a BSc in computer science even though I was a complete novice in the area. However, I learnt very quickly and really enjoyed the challenges and problem solving. I was also lucky to work in two summer internships in IT departments at Morgan Stanley during my degree, so I at least had an appreciation of bigger businesses.

After my undergraduate degree, I embarked on research into the human factors involved in 3D imagery on 3D display systems – again a completely different area from my previous computing experience. However, I liked the mathematical challenges and the combination with human vision psychology. At the same time I was also working in contracting in web development and providing tutorials in all different types of computer science for undergraduates. I really enjoyed the teaching but I found being a programmer quite monotonous – it was a great insight into proving that a full time role in computer programming was not for me.

The research time and ability to develop a questioning mind is invaluable in my career today but after a few years of academic research I was really looking for a business driven challenge. An opportunity with Keith Borer Consultants, a forensic science company based in Durham, was presented to me and I started working as a mobile telephone/cell site examiner. There was lot of flexibility and encouragement and I was able to perform research and development into whichever digital fields I wished to explore - so I opted for them all!

Forensic Focus: What services does Sam Raincock Consultancy offer? What is a typical working week like?

Sam Raincock: The business is primarily concerned with providing a combination of computer investigation/expert witness services and IT security assessment services to corporates and solicitors alike. I love solving complex problems so I particularly enjoy computer forensic cases involving technically complex scenarios/problems or software system assessments (how does software A produce B logs and what do C logs actually mean).

In the telecommunications field, SRC can offer a full range of services but primarily concentrates on taking expert instructions in complex connection record and cell site analysis cases and providing advice to other companies in these types of cases.

My current passion is working in the breadth of the IT security fields with particular interest in ISMSs, the effective use of encryption, procedures for forensic labs, corporate investigations, process improvement post incident and the ISO 27001 standard. Very recently, I was accepted to work as an assessor with A2LA regarding digital and telecommunications lab assessments. I am very excited to be a part of the American new forensic lab standards.

I also provide training in all of the above and in my ‘spare’ time I write papers and perform research. I am also studying for the CISSP and ISO 27001 lead auditor certs.

Currently, a typical week is very long – around 80 hours if not more. Working in so many fields is quite a challenge but there is also the business element too – I have become my own accountant, marketing manager, IT Manager etc. However, I love the all round skills it is providing me with and how it enables me to work with a diverse range of partners, bodies and clients...

EnCase file copying and Windows Short File Names

noreply@blogger.com (admin) — Mon, 24 May 2010 15:28:00 +0000

By Lee Hui Jing, EnCe

A couple of months ago, one of my clients, an Investigating Officer from a Law Enforcement Agency, had requested me to extract some of the files from an image copy of a hard disk. The total number of files to be copied was 1,030. Sounds easy right? This job of a few clicks turned out to be a nightmare when I found out that I was short of 2 files in my destination folder. I had selected 1,030 files to be copied, but at the end, only 1,028 files were being copied. More surprisingly, I received output from the EnCase Copy operation; ‘Status: Completed’. But where did the other 2 files go? Why had EnCase produced ‘Status: Completed’, when actually, 2 files were missing? Referring back to the image copy, I found out that most of the files had the same filename as each other.

It is very common for an analyst to face evidence files which have the same filename. This circumstance exists when:

1. There are 2 files with same name, but they are put in different folders.
2. There are 2 files with same name, but with different MAC times.

A procedure to be followed before analyzing a case is to recover all files and folders. When you use recover options, the deleted files will be recovered, and sometimes these deleted files have the same file name as the existing files, but with different MAC times.

But is it possible that EnCase can fail to copy all the files under these circumstances? For those readers who are new to EnCase, you may ask, why do you need to copy the evidence file in the first place? Let me try to put it simply, in computer forensic methodology, after the analysis phase, we will present the findings to our clients. So usually what we do is to copy out the evidence files using EnCase so that our clients can access the files in their workstation, without looking at the whole hard disk image. So the real question now is how sure are you that the selected files are properly copied to your designated folder? Is it sufficient to rely on the EnCase notification window after the EnCase copying process has been executed?

Positive predictive value and digital forensics

noreply@blogger.com (admin) — Fri, 14 May 2010 09:15:00 +0000

by Sean McLinden

In my last column, I discussed the concept of prior probability, that is to say, the likelihood that that conclusion A can be derived from fact B with no additional data. In medical diagnosis, prior probability is estimated in order to determine the need for and type of additional investigation.

Another tool used by clinicians is that of the positive predictive value (PPV). In essence, the PPV is the likelihood that a positive value for given test will confirm the operative hypothesis (diagnosis). Given all things being equal, choosing the procedure with the highest positive predictive value will be the single most useful step in confirming the clinician’s suspicion.

Of what relevance is this to digital forensics?

As I commented on, previously, it appears that US courts, especially civil courts, are increasingly limiting the scope of discovery out of concerns that discovery may violate expectations of privacy or be too burdensome to the producing parties. In a recent case in which I was involved, the judge required the requesting party to propose an alternative to production of forensic images of an entire enterprise network’s computers solely to search for possible instances of the plaintiff’s intellectual property (engineering drawings) located on the defendant’s computers. Instead, the court restricted the discovery to only those devices which were used to store or manipulate files of the same type as the engineering drawings and, of course, to only those documents which were reasonably accessible.

In addition, some judges are now following the principle of “one bite of the apple”, i.e., limiting production to a single request. Not surprisingly, though not always successfully, this has led to the notion of discovery for the purpose of discovery; the classic slippery slope...

Security metrics - proving you've made a difference

noreply@blogger.com (admin) — Thu, 13 May 2010 12:14:00 +0000

by Simon Biles

About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

Language is a funny thing – even though we may speak the same basic language, the nuances, construction and vocabulary is very individual. I find listening to my children a wonderful thing – sometimes I hear either my words, or those of my wife, but more often I hear distinct phrases and words that are unique to them. This month, they have challenged me, in an oft played game, to insert words that are uniquely theirs, and not mine, into this column – so, embedded somewhere in the next eight hundred or so words are two words that have been given to me – I’ll publish the name of anyone next month who can tell me which two they are!

Given that two people may interpret any given word in vastly different ways depending on their backgrounds how do we ensure there is a consensus of understanding? We operate in a field that has very definite concepts – true or false, on or off, zero or one – binary choices. There are few shades of uncertainty (all smart comments about quantum computing to /dev/null please) – it’s there or it isn’t, and unless we are called upon to give our opinions as experts, we are bound, at least ethically if not legally, to make statements of fact. I personally find it an immense problem though, that so often there are not really clear definitions of terms – or at least not clear definitions that you can easily present to a customer (or worse, a jury).

To add further problems, for me at least, I subscribe to a code of ethics that prohibits the use of “FUD” in dealing with customers (see http://www.csoonline.com/article/217983/The_FUD_Factor). “Fear, Uncertainty and Doubt” have to be the biggest drivers in Information Security sales as a quick survey of some major security vendors supports:

“… cyber cold war, with critical infrastructures under constant cyberattack causing widespread damage” – McAfee (fear of attack)

“Do you know where your data ends up?” – Checkpoint (uncertainty)

“Today's attackers evade traditional security solutions, leaving your business vulnerable to data theft.” – Symantec (doubt in your “traditional” solution)

Having put up these examples, I had a moment of paranoia and had to check my own website just to be sure – it really is a very easy thing to do - “pas de touché” fortunately!

So where does this leave us?

Read more at http://www.forensicfocus.com/simon-biles

How encryption affected my life

noreply@blogger.com (admin) — Thu, 13 May 2010 10:12:00 +0000

by Dominik Weber

About the Author

Dominik Weber is a Senior Software Architect for Guidance Software, Inc.

Encryption and the lack thereof changed my life. In the early 1990’s I realized that encryption is very underused and in the near future it will become essential for most people and companies. At that time, hardly any user encrypted any data. Even in the financial sector, good encryption was applied seldom. Thus, I chose the focus of my Masters in Computer Science to be Cryptography. My thesis was researching the synergistic properties of compressing data before cryptographically hashing it.

When the large forensic company I am currently working for decided to create an Enterprise-Level product, I worked on cryptographic protocol, the Authentication and Encryption Algorithms, their FIPS 140-2 validation and implementation. This took a long time, proving the well-known fact that well designed protection is not a simple or quick task. The proper selection of algorithms, threat modeling, secure coding practices, entropy and key management are just some of the many facets I had to address. Finally my co-inventors and I obtained a patent protecting this intellectual property.

I was very careful because I knew firsthand how disastrous a lack of protection can be - it was the trigger for my divorce...

Read more at http://www.forensicfocus.com/dominik-weber

Peer review: pros and cons

noreply@blogger.com (admin) — Fri, 07 May 2010 14:15:00 +0000

by Chris Hargreaves

About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

Traditional academic publications are peer reviewed, e.g. journal papers and conference proceedings, and there are now many examples of these that specifically cover digital forensics (e.g. Digital Investigation, Journal of Digital Forensic Practice). However, a considerable amount of useful forensic research is available from what are, in traditional academic terms, considered to be less reliable sources of information (including resources such as blogs, non-peer reviewed papers and forum posts). This article highlights the strengths of these media for distributing results of digital forensic research, but also discusses the value that is added when even a brief discussion of the methods used to obtain the results, and an open discussion of the limitations of the research is included when posting results online.

One of the main advantages of peer-reviewed publications in a journal or in conference proceedings is that one or more other people in the field have examined it and they have independently decided that the paper is suitable for publication. This peer-review process ensures that the author has discussed and explained contradictory theories and considered whether the results obtained are general or due to carefully chosen specific experiments. It also ensures that conclusions drawn are well supported by evidence and that enough information is contained for experiments to be repeated and the results verified. The criteria by which a publication can be judged as suitable can vary, but is also likely to include criteria such as technical accuracy, whether the results can be generalised, relevance, timeliness, etc. This process is in place to ensure that the published work has a certain level of quality...

Survey: ACPO Good Practice Guide for Computer-Based Electronic Evidence

noreply@blogger.com (admin) — Mon, 19 Apr 2010 12:02:00 +0000

An editorial panel is currently reviewing the ACPO Good Practice Guide for Computer-Based Electronic Evidence and is seeking the views of interested parties from both the law enforcement and private community of users and service providers, the IT sector, and academia . The panel's remit is to update the content to ensure it is current and relevant, and to see if there is any area of digital forensics not included in the guide that would benefit from inclusion. Participants are asked to complete a survey at www.surveymonkey.com/s/YTZVX2W and submit their views.

Neutral examiners

noreply@blogger.com (admin) — Wed, 07 Apr 2010 11:52:00 +0000

by Craig Ball

About the Author

Craig Ball is a Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery.

I recently posted an open letter to judges on a blog that caters to an e-discovery audience. I asked judges to stop ordering parties to turn over their systems to the opposing side's computer forensic examiners and argued that most civil forensics work should be reserved to neutral examiners.

Now, while you rush to warm the tar and pluck the feathers, please hear me out.

Yes, most of my work as a computer forensic examiner is done as a neutral, but I do a lot as a partisan on either side of civil cases. Even so, use of a neutral isn't something that uniquely benefits me. It's something any competent, ethical examiner can and should do. What I'm advocating won't hurt you; in fact, it'll likely add to your job satisfaction.

Here's what I posted:

"Your Honors:

I just read another opinion where the Court decided to let one side's computer expert examine an opposing party's computers. The Court seemed more concerned with who would pay for the exam than what its consequences might be.

I'm a lawyer and computer forensic examiner, and I make part of my living doing just the sort of examinations the court ordered. I've done a whole bunch of them. So, while part of me wants to encourage courts to order more forensic exams — and I can surely attest to their efficacy in resurrecting data thought gone and exposing case-making evidence — the angel at my ear requires me to softly whisper, "WHAT THE HECK WERE YOU THINKING, JUDGE?!?..."

IFFEE and DoJEE

noreply@blogger.com (admin) — Thu, 01 Apr 2010 09:24:00 +0000

April 1st sees the announcement of two new organisations for digital forensics professionals. The International Federation of Forensic Examiners in Europe (IFFEE) and the Department of Justice Expert Examiners (DoJEE) group in the US both aim to provide practitioners with a variety of benefits ranging from professional liability insurance to full immunity against prosecution and covert extraction to a country of their choosing. These new organisations are also running a special promotion for the next 24 hours offering new members a complimentary packet of felt tip pens to improve the presentation of their reports - anyone wishing to take advantage of this great offer should email idprefercrayons@iffeeanddojee.com immediately.

Copyright contravention and the modification of games consoles

noreply@blogger.com (admin) — Fri, 26 Mar 2010 11:12:00 +0000

by Dan Gaskell

About the Author

Dan Gaskell is a Solicitor and Higher Courts Advocate with Tuckers Solicitors in the UK.

The Copyright Design and Patents Act 1988 (CDPA) was amended by Statutory Instrument on 31 October 2003 through the introduction of the Copyright and Related Rights Regulations 2003. The driving force behind this was an EC Directive and ought to have provided a consistent approach across the EC in respect of the issue of the modification of games consoles and what is or is not legal. The reality has seen quite a different approach being adopted in this country from the approach adopted in other member countries and in particular Italy, Spain and more recently France.

The Regulations extended section 296 of the CDPA and made it a criminal offence under s296ZB CDPA to, inter alia, manufacture, import, sell or advertise for sale devices, the primary purpose of which was to circumvent the Effective Technical Measures which are a security feature of games consoles manufactured by the likes of Sony, Microsoft and Nintendo. These devices are commonly known as modchips but take a number of different forms according to the technology in connection with which they are produced to function.

Since the introduction of the legislation a number of criminal Prosecutions have followed, the driving force behind which has been the Entertainment and Leisure Software Publishers Association (ELSPA) but it has only been in the last 12-18 months that the legislation has fully been tested to the point where certain conclusions can be reached as to what needs to be established to establish that criminal offences have been committed. In reaching certain conclusions however the Court of Appeal has nevertheless raised further issues for consideration in defending cases in the future...

Applying medical diagnostic principles to digital forensics

noreply@blogger.com (admin) — Tue, 23 Mar 2010 12:25:00 +0000

by Sean McLinden

In an ideal world, health care would cost nothing and medical tests and procedures would be without risk or discomfort to the patient. The fact that the world is not ideal is one reason why health care reform is one of the top political issues in the United States at the moment. Medical tests can be costly, invasive and potentially life threatening to the patient and, for those reasons, the skillful practice of medicine involves the judicious use of testing which balances all of the costs against the likely benefits.

Patient care does not always involve certainty. In many cases, the health care practitioner (HCP) is forced to deal with likelihoods and probabilities on the path to certainty and, in rare instances, certainty may never be achieved. The absence of certainty is not always a barrier to treatment and response to treatment can be a step toward definitive diagnosis but, like medical tests, treatments can have their risks and the decision to treat must weigh these risks against the likelihood that the presumptive diagnosis is correct. To address the issues of uncertainty, cost, risk and benefits, HCPs employ, whether explicitly or implicitly, a collection of heuristics which provide guidance in the selection of tests and the determination of treatments. That a similar set of heuristics can, will, and in some cases, must guide the practice of digital forensics I hope to demonstrate by what follows.

Traditionally, computer forensics begins with the seizure of all possible evidence then test, test, test until either you find something or you decide that there is nothing to be found. To paraphrase an example attributed to Rob Lee, this is like doing an autopsy as the first step in a medical examination.

This is a luxury which may become the exception rather than the norm for digital forensic (DF) examinations in the future. The ubiquity of personal, portable, storage devices, the sheer volume of storage available on even the smallest of digital devices and the costly and invasive nature of indiscriminate requests for the bit for bit copy are all issues with which US courts and DF examiners have grappled. Simple techniques for hiding data and obfuscating user activities are readily available and widely known though less widely used, although I expect the latter to change as threats to privacy become greater. The Internet and the proliferation of social networking, peer to peer file sharing and other technologies have the potential to put much of the evidence outside the grasp of the traditional forensic investigator where, again, privacy concerns may limit the courses of action in civil matters.

Increasingly, DF practice is likely to parallel the process of medical diagnosis in key aspects...

Read more

What is this field called anyway?

noreply@blogger.com (admin) — Mon, 22 Mar 2010 08:59:00 +0000

by Chris Hargreaves

About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

In this series of articles I hope to explore some of the issues in forensic computing from an academic perspective, which will hopefully complement the perspectives from other columnists in the corporate, legal and software development fields.

In this first article it seemed sensible to start at the beginning and discuss something that may seem trivial but does have several implications, both practical and philosophical, and is not just an argument about semantics. This issue is what is this field that we work in actually called?

The field of acquiring, analysing and presenting digital evidence goes by several names: in the case of our MSc the term 'Forensic Computing' is used, but this is one of many. Browsing through a list of available courses in this area (recently compiled by Forensic Focus) reveals a number of other names including 'Computer Forensics', 'Digital Forensics', and 'Cybercrime Forensics'.

Are there any differences between what the courses offer? Almost certainly yes, but are the courses named differently in order to reflect different content? I suspect not. This is just one example of a common issue - uncertainty about what the field is called, if it is indeed one field. The remainder of this article describes some of the various names that are used for the field, followed by a discussion of some of the issues that occur as a result of a lack of unity as far as naming is concerned, largely from an academic perspective. Finally, it will be argued that this is actually a small symptom of a broader issue.

So what are the different terms that are in use and is there anything wrong with any of them? The term 'Computer Forensics' is widely used but as Eoghan Casey points out in Digital Evidence and Computer Crime, this is "a syntactical mess that uses the noun computer as an adjective and the adjective forensic as a noun". So, 'Computer Forensics' is poor use of the English language, and while many people may not have an issue with this, it should probably not be used...