According to recently released statistics from ICAC, an agency whose aim is to make the internet safer for children, only 2% of reported child protection cases are investigated in the United States each year. Often the media seize every opportunity to disparage forensics organisations, child protection charities and law enforcement agencies for not coming up with more effective solutions to these cases, but the reality is that the investigation of illicit image distribution is a wide-ranging and complex area, fraught with difficulties.

Digital forensics professionals will undoubtedly come across such cases as part of their general workload. Sometimes a case will begin with an investigator specifically looking for suspicious images, whilst at other times the illicit nature of the images will be discovered in the course of an unrelated process. Regardless of the initial push, however, it is undoubtedly one of the most taxing and time-consuming parts of the job…

Read More

Oxygen Forensics announces the availability of a new edition of Oxygen Forensic Suite 2013. The Passware Edition of the company’s flagship mobile forensic product delivers investigators a complete evidence discovery solution providing integrated recovery of passwords protecting encrypted files discovered during the investigation.

When analyzing mobile devices, investigators often encounter different types of password protection. Extracting these passwords instantly with Oxygen Forensic Suite is not always possible due to one-way encryption or password hashing. In order to enable access to password-protected information, the new edition integrates two forensic products into a single package, and includes Oxygen Forensic Suite Analyst and Passware Kit Forensic. For a limited time, the new edition is available for a discount representing savings of $999 off the regular price. The discount expires on December 1, 2013. By placing an immediate order, forensic specialists may obtain two powerful set of forensic tools for the price of a single tool.Mobile Forensic Suite with Integrated Password Recovery

To facilitate the recovery of passwords protecting mobile devices backups, Oxygen Forensics integrates a powerful password recovery product into its mobile forensic solution. The new product named Oxygen Forensic Suite Passware Edition takes mobile forensics up to the next level, delivering investigators a fully featured suite that can automatically break or recover passwords protecting various types of information such as encrypted files and containers, password-protected backups, messages and attachments, Web site and social network accounts.

“A mobile device itself is not the only source of evidence. In some cases, it is not available to law enforcement at all” said Oleg Fedorov, CEO of Oxygen Forensics. “Experts have the need to forensically extract data from all possible sources including backups. Partnering with Passware gives our customers access to password-protected information stored in Android and iTunes backups through a single interface”.

Everyday passwords set by most smartphone users are limited in length and complexity due to the inconvenience of using on-screen keyboards. This fact combined with new password recovery capabilities implemented in Oxygen Forensic Suite Passware Edition can often deliver great success rate in reasonable timeframe.

“The proliferation of smartphones throughout enterprise and consumer users often allows criminal behavior to pass undetected without a tremendous amount of brute-forcing the password,” said Dmitry Sumin, CEO of Passware. “The expanded capabilities of Passware Kit Forensic help forensic experts gain access to protected information stored in Android phones quickly. This enables IT computer forensic professionals to easily gain access to data residing on the most widely used smartphones.”

The new product is offered for $999 off retail until December 1, 2013. Customers are encouraged to contact Oxygen Forensics for a quote for Oxygen Forensic Suite Passware Edition.

About Oxygen Forensic Suite 2013

Oxygen Forensic Suite 2013 helps investigators and forensic specialists access and analyze data from a variety of mobile devices such as cell phones, smartphones, communicators, PDA and tablet PCs. Currently supporting more than 7,000 different models, Oxygen Forensic Suite 2013 covers the widest range of mobile devices compared to competition, and allows fully automated acquisition and analysis of supported devices.

The unique Timeline feature offers convenient, single-place access to all activities and movements performed by the user arranged by date and time. Investigators can track user location at every moment, build and map their historic routes, and clearly see all activities performed by the user at each location. Timeline is now available for analyzing DMG images.

Another signature feature of Oxygen Forensic Suite allows investigators to perform a global search on all devices ever analyzed with the toolkit. The global search quickly reveals any connections (e.g. common contacts, exchanged calls, texts or emails) between the phone owners.

Oxygen’s statistical analysis tools allow investigators discover social connections between the users of multiple mobile devices. Calls, text messages and various messengers’ conversations are analyzed to produce charts and tables revealing the users’ closest circle at a glance.

Oxygen Forensic Suite 2013 guarantees zero-footprint operation, leaving no traces and making no modifications to the content of the devices. This makes it the tool of choice among government and law enforcement agencies, security services, and forensic organizations in more than fifty countries.

About Passware Kit Forensic

Passware Kit Forensic is Passware’s flagship forensic tool enabling accelerated recovery of passwords protecting more than 200 file types such as office documents and PDF files, encrypted archives, iTunes and Android backups, Windows system passwords, passwords to Web sites, social networks and mail accounts and many more types of data.

In addition to the recovery of plain-text passwords, Passware Kit Forensic can instantly decrypt encrypted volumes protected by popular crypto containers such as BitLocker, TrueCrypt, FileVault2, and PGP by automatically locating and extracting decryption keys stored in the computer’s volatile memory or contained in memory dump images.

About Oxygen Forensics, Inc.

Founded in 2000, Oxygen Forensics is the worldwide leading maker of the advanced forensic data examination tools for smartphones and other mobile devices. The company is dedicated to delivering the most universal forensic solution covering the widest range of mobile devices running Android, iOS, Blackberry, Windows Phone, Symbian and other operating systems. Law enforcement and government agencies, institutions, corporations and private investigators, help desk personnel and thousands of private consumers rely on Oxygen Forensics products to ensure evidence availability in the event of mobile device data analysis and recovery. Oxygen Forensics customers include various US and European federal and state agencies such as the IRS, US Army, US Department of Defense (DOD), US Department of Justice, US Department of Homeland Security, US Department of Transportation, US Postal Service, US Supreme Court, European Commission, London Metropolitan Police, French National Police and Gendarmerie, PricewaterhouseCoopers, Ernst & Young, and many others. As a result, Oxygen Forensic Suite receives great response at forensic conferences, exhibitions and trainings, and occupies a spot on the top of the list in relevant tests for extracting more data than competitors.

About Passware, Inc.

Founded in 1998, Passware, Inc. is the worldwide leading maker of password recovery and e-Discovery software for Federal and State agencies, Fortune 500 corporations, law enforcement, military organizations, help desk personnel, business and private consumers.

# # #

More information about Oxygen Forensics and its forensic solutions is available at www.oxygen-forensic.com

More information about Passware, Inc. and its password recovery solutions is available at www.lostpassword.com

Nuix, a worldwide provider of information management technologies, today announced it has appointed Rob Attoe as Senior Vice President of Investigations Training and Services. United States-based Attoe will be in charge of building and delivering training course content for Nuix customers and partners in the global digital investigations community.

Attoe has more than a decade of experience developing digital forensics and decryption training programs, most recently as Director of Training at AccessData. He has worked as a Computer Crime Specialist with the US National White Collar Crime Center, where his primary focus was developing a curriculum on file system analysis and automated forensic tools, and with the Kent Police as a Forensic Computer Analyst.“Rob’s experience will ensure our training curriculum meets the industry’s highest standards and we are delighted to welcome him,” said Dr Jim Kent, CEO, EMEA and Global Head of Investigations at Nuix. “Rob is the latest in a long line of digital forensic experts who have joined Nuix, making our investigation team an industry powerhouse.”

Attoe participates actively in the global digital investigation community. He is a certified member of the International Association of Computer Investigative Specialists (IACIS) and has instructed at its annual conference. He regularly presents at international digital forensics events including the High Technology Crime Investigation Association, Department of Defense Cyber Crime and F3 conferences.

“I am excited to join such a forward-thinking organization that is driven to deliver innovative solutions for the digital forensics community,” said Attoe. “With my experience and Nuix’s technology, I have an opportunity to deliver the industry’s highest quality instruction that prepares trainees for the challenges of processing, searching and understanding the vast amounts of data they will encounter.”

About Nuix

Nuix (nuix.com) is a worldwide provider of information management technologies, including eDiscovery, electronic investigation and information governance software. Nuix customers include the world’s leading advisory firms, litigation support providers, enterprises, government departments, law enforcement agencies, and all of the world’s major corporate regulatory bodies.

Magnet Forensics has released the Internet Evidence Finder (IEF) Logical Evidence File Creator for EnCase v7. The IEF Logical Evidence File (LEF) Creator is an EnScript designed to create an LEF from a pre-existing IEF case folder. The goal of this EnScript is to allow an examiner who has run IEF separately from EnCase to later incorporate the findings into EnCase v7. Running this EnScript from EnCase v7 creates an LEF that is automatically added into EnCase.www.youtube.com/embed/UUazzKoJCoY” frameborder=”0″ allowfullscreen>

Download the Tool
If you already use IEF you can download IEF Logical Evidence File (LEF) Creator for EnCase v7 directly from the Magnet Forensics website here.

This is the third EnScript released by Magnet Forensics that allows you to integrate IEF into your EnCase workflow. The first one was released in May 2013 and was designed as a stand-alone EnScript for EnCase v6 & v7. You can read the details here.

The second was a module specifically designed to be installed and used as part of the EnCase v7 “Process Evidence” option. You can read more about that EnScript here.

Using the Tool
Let’s assume I have a case where I have run IEF separately from EnCase and searched for Internet artifacts:

Once IEF is completed, I will be presented with the IEF report viewer screen to review the found artifacts:

Let’s now assume there are some artifacts that IEF found that are relevant and I want to include them in my overall EnCase processing/searching/reporting. I can simply run the EnScript from EnCase v7 and it will ask me to point to the IEF case folder (the folder structure that IEF creates and places all the output files in):

Once I have navigated to and selected an existing IEF case folder, the EnScript will create an LEF in that same folder and then try to add it into the current case.

You can now process/review/search/bookmark any of the artifacts that IEF found when you ran it in a stand-alone mode, but have now incorporated the artifacts into EnCase via a logical evidence file.

As always, I appreciate the feedback, comments or questions.
You can reach me anytime at lance(at)magnetforensics(dot)com

by Hannu Visti

Creating test material for computer forensic teaching or tool testing purposes has been a known problem. I encountered the issue in my studies of Computer Forensics at the University of Westminster. We were assigned a task to compare computer forensic tools and report results. Having already analysed test images by Brian Carrier (http://dftt.sourceforge.net) over and over again, I found myself creating images manually, which appears to be the best and only way of doing this. One of my lecturers, Sean Tohill, confirmed this is indeed the case and a test image generator is long overdue.

The need for such a tool is twofold. In educational setting, the problem of plagiarism can be mitigated by giving each student an individual image to analyse. In application quality testing, one of the tests should be to feed several similar but not identical images to the forensic tool, and compare results, which should be identical…

Read More

The level of sexual abuse and violence carried out on children whose suffering is posted on the internet “seems to be getting worse”, [UK] MPs have heard. Child Exploitation and Online Protection Centre director Peter Davies said victims appeared “to be getting younger and younger”. He told the Culture, Media and Sport Committee the dissemination of pictures of abuse had become “industrialised”. Most victims were under the age of 10, with images including rape, MPs heard.

Mr Davies said the biggest transfer was directly from “peer to peer”. But much of the “worst we have seen” was distributed via the “hidden internet”, which required special software and evaded search engines – and was also used by criminal gangs to organise the drugs trade…

Read More (BBC)

Welcome to this round-up of recent posts to the Forensic Focus forums

Forum user EricZimmerman shares some imager speed test results.

What are ‘advanced forensics concepts‘ within the digital forensics realm?

Forum users discuss digital evidence storage ideas.

Forum member trewmte explains why it’s important to use mobile forensics tools.

A poll about the most appropriate attire for working in forensics provokes discussion.

Is cell tower analysis ‘junk science’? Chime in on the forum.

What are the best forensic tools to use on Chinese phones?

Forum members discuss validating the integrity of data when testifying in court.

There has been increased coverage of cyber bullying in the media recently. How large a problem is cyber bullying? Is it really growing as fast as the media seem to suggest?

When the tragic deaths of young people such as Hannah Smith and Daniel Perry hit the headlines, the spotlight is rightly focused on social networking sites and how bad they are and what can be done to prevent further deaths. Because of the publicity, it appears that all of a sudden social media has become a problem, yet the truth is that concerns about young people inappropriately using social networking sites have never gone away. Schools can vouch for this in the increased number of incidents they deal with; almost always at the centre of bullying incidents is a social network site or messaging service such as Ask.fm. As was the case in the summer with Ask.fm, there was a public outcry to get the site closed down, but this is not the answer….

Read More

HEA STEM: Teaching Computer Forensics is the 8th workshop on Teaching Forensics, the last 4 of which have been held at Sunderland. The workshops have been successful at bringing academics together to discuss the particular challenges in teaching computer forensics, share best practice and discuss opportunities for collaboration in teaching and in research.

The focus for the 2014 event is to continue with the themes that have developed and evolved over the last few years and explore ways in which to enhance teaching and learning opportunities for students studying computer forensics, especially in assessment and feedback, employability and success. The workshop is an opportunity for academics and students in the computer forensics subject area to address the current issues and challenges in a number of themes including (but not exclusive to) student experience, student retention, computer forensics research, new technologies, new computer forensics themes, legal developments, ethics, accreditation and employability…

Read More (The Higher Education Academy)

Latest version of IEF uniquely addresses the challenge of identifying, recovering and analyzing mobile chat data.

Magnet Forensics, the global leader in the development of digital forensic software for the recovery and analysis of Internet evidence from computers, smartphones and tablets, today announced the release of INTERNET EVIDENCE FINDER™ (IEF) v6.2. The latest release adds new features, new Internet artifacts and artifact updates for both IEF Standard and IEF Advanced editions. Newly introduced in IEF v6.2 is the Dynamic App Finder feature. Available for IEF Advanced, it is a novel approach to data recovery from mobile chat applications that enables forensic professionals to find more evidence, faster.[image “http://www.magnetforensics.com/wp-content/themes/magnetforensics/_common/images/FF_banner_62announce.jpg” not found]

Dynamic App Finder

Data recovered from mobile chat apps is critical to many forensic investigations. However, with thousands of mobile chat apps in use today and a steady stream of new apps emerging, identifying, recovering and analyzing mobile chat data is a significant challenge and has become a time consuming duty for forensic professionals.

Dynamic App Finder is a new feature of IEF Advanced that searches for any potential mobile chat app databases that can be found on images or file dumps of iOS or Android mobile devices. It identifies the app name and maps the four key fields required to interpret results from most chat apps; sender, receiver, date/time and the message. At the conclusion of an IEF search, Dynamic App Finder displays the names of the discovered chat apps along with the recommended field mapping for each chat database. Field mappings can be accepted as displayed or modified, and are saved by IEF for use in future cases. Full search results with all recovered records for each chat app are displayed in IEF Report Viewer.

Dynamic App Finder enables examiners to find chat messages from potentially thousands of apps, regardless of how new or obscure they might be.

New IEF Platform Features

The platform enhancements in IEF v6.2 include:

• Chat thread visualization for WhatsApp and Skype; simulates the appearance of chat threads as they would appear in the original application to provide an easily digestible format for both investigators and prosecutors
• Import and export log2timeline CSV format files with IEF Timeline; support for an industry standard file format making it possible to use IEF Timeline for visualization of evidence obtained with other forensic tools
• Merge multiple cases together in IEF Report Viewer and IEF Timeline
• Associate a unique evidence number with each individual device added to a search/case and filter search results based on evidence number within IEF Report Viewer and IEF Timeline

IEF Standard Edition Updates

New Internet Artifacts:

• AVI file carving; recovers video fragments that can be exported to a video file and then played in a video player
• Full Ares artifact support; parse and carve search terms, shared files, downloaded files, and incomplete file downloads
• Hushmail webmail support
• TOR Chat parsing and carving support
• Flash cookies and local objects
• Offline Gmail
• Chrome last/current session tabs

Updated Internet Artifacts:

• Outlook.com webmail (Hotmail artifact update)
• Facebook

IEF Advanced Edition Updates

All IEF Standard artifacts are included in IEF Advanced.

New Mobile Artifacts:

• Support for the YAFFS2 file system used on older Android devices
• Sina Weibo App support
• AIM (AOL Instant Messenger) support on iOS and Android
• Android Cell.cache and Wifi.cache file support – location data can be plotted in World Map
• Android Native email carving

Updated Mobile Artifacts:

• Android SMS improved carving for deleted SMS
• Kik Messenger

Learn More:

• Blog Post: “Finding More Mobile App Data – IEF v6.2 Released”, by Magnet Founder and CTO Jad Saliba
• Video: IEF Dynamic App Finder Walk-through with Lance Mueller
• IEF Standard
• IEF Advanced
• IEF Standard and Advanced Artifacts Supported

Pricing and Availability:

• Pricing for IEF starts at $999 USD
• Existing customers with a Software Maintenance & Support (SMS) subscription can upgrade to IEF v6.2 visiting our customer portal
• New to IEF – Download a free trial of IEF 6.2 by going to www.magnetforensics.com/trial