Could you please further explain this statement?
"many registry keys contain evidence that can tell you who was sitting at that machine when the illegal act happened, which is what everyone wants to know."
Harlan, gotcha. I'll test with dd and netcat. Thanks again.
armresl,
I think ifindstuffucantfind (correct me if I'm wrong here) may be referring to the keys found in the NTUSER.DAT and SAM files.
"…they have quality assurance teams that certify their tools…"
Right. And ILook 7.x was certified, though it wasn't Unicode compliant. Objects with Cyrillic characters in their names didn't appear in that version of ILook (I got that from a CART guy). The "quality assurance" is only as good as the requirements.
Re the certifications. Yes, this is a big issue, but one that won't be solved easily. There are security professionals who believe that unless you understand assembly language on the x86 platform, you shouldn't be in security. Then there's the ISC^2 and the CISSP cert, which is management level.
A big issue we are seeing is with mobile/cell phones and the varying proprietory formats they use. The rapid increase in storage on the latest phones results in a vast amount of information being carried around. Add to that the increased functionality of the devices and where the manufacturers are heading with future development. A sound forensic process which can image and analyse all of the phones available is something that is needed now and in the future.
"many registry keys contain evidence that can tell you who was sitting at that machine when the illegal act happened, which is what everyone wants to know."
Im not sure that is the case. It is not possible to prove someone was sitting at a computer logged into a specific user account at a specific point in time. It is however quite reasonable to state somebody was logged in to at a specific user account at a specific point in time. That somebody could be the suspects Grandmother but you cant prove it by registry keys alone.
A white paper on distributed computing another development to be considered with regard to the future of digital forensics.
http//
Hey Neddy,
thanks for the link to the Digital Forensics site. looks like lots of information there. Is "digital forensics" a new or separate field from straight up computer forensics? is it wireless forensics?
Im not sure keen, I have noticed a trend as of late to refer to computer forensics as digital forensics, I guess this new term covers all digital forensic devices from pda's to mobiles to pc's. You say tomatoe I say tomatoe etc. I dont believe the term 'digital forensics' is restriced to wireless applications.
Up until two weeks ago I was reading a book called, "Real Digital Forensics" (until I lost it or somebody stole it). It was computer forensics and not some specialized part of CF.
Putting a certain person at the keyboard, at a certain time, after the fact will be the biggest challenge. Second to that is going to be criminals developing skills to use someone elses computer to do their dirty work, store contraband, store records, create mayhem. Every Windows computer can be uniquely identified by the MD5 hash sums of the photos in "My Photos", the serial numbers of the chassis components, the file hal.dll, and a host of other criteria. I'm very surprised no one has written a program to easily hijack a computer on a residential internet connection.
WinHex has a facility to coherently read NTUSER.DAT, which, in reality, is part of the MS Windows registry. Regedit does not allow viewing this file, which is full of juicy data. I don't know how much black box work has been done with WinHex, so I don't how reliable it would be as testimony.
AwesomeMachine,
Interesting post.
"Putting a certain person at the keyboard, at a certain time, after the fact will be the biggest challenge."
It already is. This is something LEOs and forensic analysts try to do all the time. However, without some sort of visual evidence, it's nearly impossible to do.
"Second to that is going to be criminals developing skills to use someone elses computer to do their dirty work, store contraband, store records, create mayhem."
Again…we're already there. We've been there for a long time. In fact, it's no longer really even an issue of a criminal developing the skills, but of a newbie getting his hands on a worm/Trojan creation toolkit and accessing someone else's computer with NO skills.
"I'm very surprised no one has written a program to easily hijack a computer on a residential internet connection."
Been around for a long time. In my book, I mentioned an autorooter. Add to that bots and worms…
"Regedit does not allow viewing this file…"
Really? So, when I opend up the RegEdit and look at the HKEY_CURRENT_USER hive, what am I looking at?
Hint I'm looking at the content of the NTUSER.DAT file for that account.
Harlan
