__/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/

Forensic Focus newsletter, January 2006

__/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/

http://www.ForensicFocus.com

Welcome to the latest edition of the Forensic Focus newsletter!

In this issue:

1. News roundup
2. Analysis of hidden data in the NTFS file system
3. This month in the Forensic Focus forums
4. Useful resources
5. Submitting an article to Forensic Focus

**********************************************************

Submitting an article to Forensic Focus

If you would like to write an article for either the Forensic Focus newsletter or website please send a short proposal through

http://www.forensicfocus.com/contact

**********************************************************

1. News roundup

A selection of computer forensics news items hitting the headlines this month

DHS CYBERSECURITY BUDGET GROWS TO FIGHT COMPUTER CRIME
With computer crimes on the increase, the Homeland Security Department is preparing to beef up its cybersecurity capabilities by increasing the budget of the National Cyber Security Division, home to the U.S. Computer Emergency Readiness Team (US-CERT). At a Jan. 24 round table on cybercrime hosted by Symantec Corp., Andy Purdy, acting director of NCSD, said the budget for his organization is expected to grow by $25 million in fiscal 2007—a significant increase, given that the division's budget for this year is about $79 million...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=391

UK SECURITY PROFESSIONALS BACK TOUGHER LAWS FOR HACKERS
The IT security industry has almost unanimously given its backing to government plans to update the Computer Misuse Act (CMA) and introduce more severe custodial sentences for cyber criminals. And many are urging the government to now 'go the distance' and ensure the bill is passed and the new laws come into effect as soon as possible - and are policed effectively...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=389

GUIDANCE SOFTWARE ADDS PATRICK ZELLER TO LEGAL AND REGULATORY TEAM
Guidance Software announced today that it has added Chicago-based litigator Patrick Zeller to the Legal and Regulatory team as assistant general counsel. As both a former assistant attorney general focused on computer crime and as eDiscovery and litigation counsel with the national law firm of Seyfarth Shaw, Zeller's career focus addresses the myriad of legal and compliance issues surrounding high technology...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=387

EXPANSION IMMINENT FOR COMPUTER FORENSICS AT BLOOMSBURG UNIVERSITY (US)
Governor Rendell recently announced that Bloomsburg University will receive two state grants: a $200,000 grant to support the Greater Susquehanna Keystone Innovation Zone and a $63,000 grant to support the Pennsylvania Center for computer forensics research...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=385

FINDING FRAUD IN DIGITAL IMAGES (PODCAST)
Associate professor of computer science Hany Farid is interested in detecting whether a digital image has been manipulated. Because digital images are found everywhere today, he explains that his research can be used to examine images to see if they have been tampered with. This has immediate relevance for the fields of law, media, and science. In this podcast, he talks about his work in digital forensics and how it can be implemented...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=384

CERT'S VIRTUAL TRAINING ENVIRONMENT (VTE) OPEN TO PUBLIC
CERT's Virtual Training Environment (VTE), with more than 160 hours of multimedia-based instruction in information assurance and computer forensics, is now available to the public. The Virtual Training Environment (VTE) is a Web-based knowledge library for Information Assurance, computer forensics and incident response, and other IT-related topics. VTE is produced by the Software Engineering Institute at Carnegie Mellon University...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=383

TRACING AN EMAIL
The purpose of this guide is to show the process involved in tracing an email. The first step required to tracing an email is finding out the headers of the email. What are headers? Email headers are lines added at the top of an email message that are used by servers as the email goes on route to get delivered. Generally email clients only show the standard To, From, and Subject headers, but there are more...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=382

NEW COMPUTER FORENSICS LAB CRACKS DOWN ON IDENTITY THEFT
Pierce County is attacking identity theft with new technology and vigor that could warn potential victims sooner and lock up crooks longer. Investigators from the prosecutor's office and sheriff's department have opened a computer forensics lab that allows them to dig deeper into the hardware and software Pierce County law enforcement officers seize as part of identity theft cases...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=381

FBI: 90% OF ORGANIZATIONS FACE COMPUTER ATTACK; 64% INCUR FINANCIAL LOSS
The FBI reports that 9 out of 10 organizations in the country are victims of some sort of computer security incident, and one-fifth are hit more than 20 times a year. Almost two-thirds suffer financial loss as a result of the cyber incidents. The 2005 FBI Computer Crime Survey is based on responses from a cross-section of more than 2,000 public and private organizations...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=380

DEFENSE LAB ACCREDITED IN COMPUTER FORENSICS
After years of work, the Defense Computer Forensics Laboratory—part of the DOD Cyber Crime Center (DC3)—has been accredited by the American Society of Crime Laboratory Directors/Laboratory Accreditation Board. Ralph Keaton, executive director of ASCLD/LAB, presented the certificate of accreditation to representatives of DCFL Jan. 10 during the first day of the DOD Cyber Crime Conference...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=376

GOV'T CYBER-SLEUTHS FOCUSING ON LINUX, IPOD, XBOX
Cyber-security and computer experts from the government and law enforcement are increasingly concerned with malicious code that runs on Linux and Apple Computer Inc.'s Mac OS X operating systems and threats posed by devices such as iPods and Xboxes. Intensive courses on the Mac OS X and Linux operating systems, as well as iPods, were just a few of the offerings at a recent cyber-security conference sponsored by the U.S. Department of Defense. Network administrators and cyber-investigators say they are increasingly being called on to investigate compromises of non-Windows operating systems and to analyze portable devices such as iPods, according to interviews with attendees by eWEEK...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=375

FTC LAUNCHES SITE TO FIGHT CYBERCRIME
Responding to the rising cybercrime threat, the Federal Trade Commission on Tuesday unveiled an online tool designed to help consumers avoid becoming victims of Internet scams. At the website, www.onguardonline.gov, consumers can take interactive quizzes designed to enlighten them about ID theft, phishing, spam and online-shopping scams...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=374

UNDELETE THOSE DELETED EMAILS, FOIA RULING TELLS UK GOVERNMENT
'Deleted' Government records needn't necessarily be treated as deleted after all, according to a ruling by the Information Tribunal, which deals with appeals against rulings under the Freedom of Information Act. "The Tribunal understands that information which is held electronically and then deleted (and even emptied later from a 'recycle bin' or 'trash can') is still in fact retained in its original form on the computer system until it is subsequently and actually overwritten by other information." In view of this "it may be incumbent on a Public Authority to make attempts to retrieve deleted information. Accordingly the authority should establish whether information is completely eliminated, or merely deleted."
http://www.forensicfocus.com/index.php?name=News&file=article&sid=373

2005 FBI COMPUTER CRIME SURVEY
Despite investing in a variety of security technologies, enterprises continue to suffer network attacks at the hands of malware writers and inside operatives, according to an annual FBI report released today. Many security incidents continue to go unreported. The 2005 FBI Computer Crime Survey was taken by 2,066 organizations in Iowa, Nebraska, New York, and Texas late last spring, which survey organizers deemed a good sample of enterprises nationwide...
http://www.forensicfocus.com/index.php?name=News&file=article&sid=372

Want to comment on any of the issues raised above? Please use the Forensic Focus forums at http://www.forensicfocus.com/computer-forensics-forums

2. Analysis of hidden data in the NTFS file system

by Cheong Kai Wee
Edith Cowan University

Criminals with sensitive information such as crime records tend to hide/encrypt this information so that even if their computers are collected by police department, there is no evidence that can be used against them. There are many ways data can be hid. The most famous ways are data encryption and steganography. File system, in addition, can also be used to hide data. This paper discusses some of the possible ways to hide data in NTFS file system and analysis techniques that can be applied to detect and recover hidden data. This paper focuses on criminals as the users of data hiding techniques and the main targets that they want to hide data from are forensic analysts. Certain data hiding techniques that can only be used to hide data against normal users such as setting the hidden attribute of a file will not be included.

This paper discusses some of the methods that can be used to hide data in NTFS and analysis techniques that can be used to detect and recover hidden data. Target readers for this paper are forensic analysts and examiners. Throughout this paper, the phrase "suspect" is used to refer to the owner of digital devices, where analysis is performed to retrieve digital evidence.

RunTime's DiskExplorer for NTFS v2.31 is used to create the hidden data manually for testing purpose. The only exception is hidden data for alternate data stream which is created by normal DOS command. Tools that are used to analyse hidden data are Windows XP chkdsk, Sleuth Kit 2.02, Foremost 0.69, comeforth 1.00, dd, hexedit and strings. Test data is created on a machine with Windows XP version 5.1.2600.

Background Of NTFS

In NTFS, everything is file. This includes file system metadata about the structure of the file system. MFT (Master File Table) is the heart of NTFS. Every file or directory has at least one entry in MFT (Master File Table). Microsoft calls each entry in MFT as file record and its default size is 1024 bytes (Mikhailov, n.d.). The first 42 bytes is fixed for MFT entry header and the rest of the entry stores attributes, which is small data structure with specific purpose. Example of attributes are $STANDARD_INFORMATION, $FILE_NAME and $DATA (Microsoft, n.d.). The content of an attribute can be either resident or non resident. A resident attribute stores its content in the MFT entry. A non resident attribute stores its content at external clusters. The list of clusters used is stored as cluster run in the run list of an attribute.

The rest of this article can be read online at http://www.forensicfocus.com/hidden-data-analysis-ntfs

3. This month in the Forensic Focus forums

A selection of recent topics in the Forensic Focus forums

Performing live response
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=636

Determining user's groups from Windows image
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=678

IMEI Cloning
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=666

The need for "under the hood" knowledge
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=647

Example casefiles
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=660

NTFS Compressed Files
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=672

Newbie question on file date/time stamps and time zones
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=667

UK Expert Witness Databases
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=591

Restore Point Change.log.x file parser/interpreter?
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=662

HashKeeper lists -- where?
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=646

4. Useful resources

A monthly guide to the best computer forensics resources on the web

Mailing lists

http://www.forensicfocus.com/computer-forensics-list
http://www.securityfocus.com/archive/104 (Forensics list)
http://groups.yahoo.com/group/linux_forensics/
http://groups.yahoo.com/group/COMPUTER_FORENSICS/
http://groups.yahoo.com/group/computerinvestigators/
http://groups.yahoo.com/group/ComputerForensicJobs/
http://groups.yahoo.com/group/cftt/
http://groups.yahoo.com/group/CCIFTraining/
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users

Web sites

http://www.e-evidence.info/
http://www.tucofs.com/tucofs.htm
http://forensic.to/links/pages/Forensic_Sciences/Field_of_expertise/Computer_Investigation/

Publications

http://www.ijde.org/
http://www.compseconline.com/digitalinvestigation/

Please contact us through http://www.forensicfocus.com/contact with suggestions for (non-commercial) additions to this section.

5. Submitting an article to Forensic Focus

If you would like to write an article for either the Forensic Focus newsletter or website please send a short proposal through http://www.forensicfocus.com/contact for review. I'm afraid we can't offer any kind of financial reward but you would of course be able to include your contact details (business or personal) should you wish. I look forward to hearing from you.

Until next month!

Kind regards,

Jamie
--
Jamie Morris
Forensic Focus
Web: http://www.forensicfocus.com

NEWSLETTER INFORMATION

TELL A FRIEND
Please feel free to forward this newsletter! Alternatively use the form at http://www.forensicfocus.com/tell-a-friend to tell a friend about Forensic Focus.

TO SUBSCRIBE: If someone has forwarded this newsletter to you and you wish to receive future issues just sign up here:

http://www.forensicfocus.com/computer-forensics-newsletter

Your details will NEVER be shared with any 3rd party.

TO UNSUBSCRIBE: If you wish to cancel your subscription please login to your account and change your preferences.

ARCHIVES
Previous newsletters are archived online and can be found at http://www.forensicfocus.com/computer-forensics-newsletter

Copyright(c) Forensic Focus 2006

--