A round-up of this week’s digital forensics news and views:
Shamsud-Din Jabbar: OSINT Profiling and Uncovering Hidden Threads of the New Orleans Terror Attack
Open-Source Intelligence (OSINT) profiling is revolutionizing investigative practices by leveraging publicly available data to create detailed profiles, analyze networks, and uncover hidden connections. A recent structured guide illustrates how tools like IRBIS and Maltego facilitate efficient data integration, enabling investigators to track subjects such as Shamsud-Din Jabbar, whose digital footprint and connections revealed ties to extremist ideologies. The process includes steps like data collection, network analysis, and behavioral profiling, uncovering actionable insights and highlighting emerging risks, such as the growing use of cryptocurrency in extremist networks. This method demonstrates the power of OSINT to address immediate threats and prevent future risks.
DFIR in a Land Down Under
The 4th DFRWS APAC conference in Brisbane, Australia, showcased cutting-edge developments in digital forensics and incident response (DFIR) from October 22-24, 2024. Highlights included Jessica Hyde’s workshop on third-party app analysis, keynotes by Michael Cohen on the evolving challenges in digital forensics and Darren Hopkins on ransomware trends, and diverse presentations on topics like deepfake detection and forensic readiness. A panel discussed the UN Cybercrime Convention’s implications, and social events fostered networking. Despite positive feedback, organizers aim to improve outreach for next year.
Inside the team fighting crime on the digital frontier
West Midlands Police’s Digital Forensics Unit (DFU) plays a pivotal role in solving crimes by unlocking and analyzing digital evidence from devices like phones and computers. Over the past year, the 80-person team examined nearly 3,000 phones and 1,000 computers, aiding convictions for serious offenses such as murder and gun trafficking. To bolster its capacity, the DFU welcomed seven new apprentices, aged 18 to 40, who support live investigations while gaining practical experience and training. This initiative ensures a skilled future workforce as digital evidence becomes increasingly central to modern policing.
Read More (West Midlands Police)
The Challenge of Tracking SSH Connections Without System Logs
A recent exploration into macOS Unified Logs reveals an effective method for tracking SSH logins and logoffs without relying on the traditional system.log file, which attackers might delete. Researchers utilized precise filters and timestamps to extract SSH connection details, including IP addresses and ports, directly from Unified Logs across multiple macOS versions, including High Sierra, Big Sur, and Sonoma. This approach, tested collaboratively, circumvents potential log deletion while minimizing noise, providing a robust alternative for auditing SSH activity and enhancing forensic investigations on macOS systems.
Crypto Crime – No Such Thing?
In the latest Forensic Focus podcast, host Si Biles speaks with Nick Furneaux, renowned forensic investigator and author, about the evolving landscape of digital forensics, particularly in cryptocurrency investigations. Furneaux discusses the challenges of identifying cryptocurrency use in crimes, the importance of integrating crypto specialists into broader investigative teams, and the ethical and technical complexities of tackling scams like “pig butchering.” Reflecting on his career, Furneaux emphasizes the need for innovative tools to discover crypto-related evidence and explores the societal impacts of modern scams. His new book, There’s No Such Thing as Crypto Crime, aims to broaden understanding of cryptocurrency in investigations.
File Carving: Encrypted Virtual Hard Disks
Ransomware encryption of virtual hard disks presents significant challenges for forensic investigations, but partial data recovery is possible due to the efficiency-focused encryption methods used by attackers. Using techniques like file carving, investigators can extract critical artifacts, even from partially encrypted disks. This article explores various tools and methods, including Grep, Bulk Extractor, PhotoRec, Scalpel, EVTXtract, and custom scripts, to recover files, event logs, and evidence from encrypted virtual hard disks. While success rates vary, these methods offer valuable insights into threat actor activities and can bridge forensic gaps, emphasizing the need for iterative and adaptable investigative strategies.
More than 140 Kenya Facebook moderators diagnosed with severe PTSD
More than 140 Facebook content moderators in Kenya have been diagnosed with severe post-traumatic stress disorder (PTSD), anxiety, and depression due to prolonged exposure to graphic content, including murders, suicides, and child sexual abuse. These moderators, employed by Samasource Kenya under contract with Facebook’s parent company, Meta, endured harsh working conditions for significantly lower pay than their U.S. counterparts. A lawsuit brought by nearly 190 former moderators alleges mental harm, unfair practices, and modern slavery. Despite Meta’s claims of providing support and safety measures, advocates argue the trauma inflicted on moderators highlights the human cost of social media moderation.
watchOS Unified Logs – Introduction and Calls
Unified logs from Apple Watches and paired iPhones provide valuable data for digital investigations, particularly in cases involving calls initiated from the watch. Logs from watchOS differ significantly from those on iOS, with key processes such as “Carousel” replacing “SpringBoard” on the watch. Investigators can trace call activity through processes like “callservicesd” and identify timestamps, device interactions, and contact identifiers. However, while the watch captures essential details, it cannot independently reveal the full context of calls, such as dialed phone numbers, which are often available only on the paired iPhone. Cross-referencing logs from both devices offers a more comprehensive view of user activity.