Blogs
The Lead
Intelligence Agencies and the Data Deluge
June 10, 2013 | by Quentin Hardy | Comments
Political leaders including President Obama and Senator Dianne Feinstein in recent days have defended snooping on private communications by noting that intelligence agencies were not reading personal messages, but rather information about the messages.
FDA Urges Tighter Cybersecurity for Medical Devices
June 17, 2013 11:38 am | by Willie Jones | Comments
In the wake of discoveries that some medical devices are vulnerable to remote tampering via the...
Rise of the Social Bots
June 13, 2013 10:14 am | by Karthik Selvaraj | Comments
Malware authors and distributors follow the money. When you consider the growing popularity of...
Unwinding the Dead
June 12, 2013 4:58 pm | by Editor | Comments
I have had a run of cases where significant information has been found in the iTunes backups on...
SUBSCRIBE TO FREE
DFI News EMAIL NEWSLETTER
Utilities Industry in the Cyber Targeting Scope
June 18, 2013 4:27 pm | by Intel Team | CommentsThere’s often a lot of rhetoric in the press and in the security community around threats to the utilities industry, and risk exposure surrounding critical infrastructure. We’ve determined that the utilities industry (power, water, waste) has been, and likely will continue to be, a target for cyber espionage primarily from Chinese APT groups.
There are Four Lights: LNK Parsing tools
June 18, 2013 3:47 pm | by Keydet89 | CommentsSome of the things I'm most interested in when looking at tools for parsing LNK files include completeness/correctness of output, ease of use, the ease with which I can incorporate the output into my analysis processes, etc. I know that some of these aspects may mean different things to different people ... for example, if you're not familiar with parsing shell item ID lists, how do you determine completeness/correctness?
TextMe App: Lesson Learned from Unusual Tables
June 18, 2013 11:06 am | by John Lehr | CommentsI recently had the opportunity to help a colleague with an iPhone database that was not supported by his automated tools. The application was the TextMe application, and predictably, the texting app stored its chat in a SQLite database. What made the database interesting was the fact that there was no immediately obvious way to identify to whom a message was sent.
US Law Enforcers Want to See a Mobile Phone Kill Switch
June 18, 2013 10:50 am | by Lisa Vaas | CommentsUS law enfocers are demanding a kill switch on our smartphones that would theoretically brick them after they're stolen. The initiative, dubbed Secure Our Smartphones (SOS), is a coalition of law enforcers from across the country: state attorneys general, district attorneys, major city police chiefs, state and city comptrollers, as well as public safety activists and consumer advocates.
7 Cybersecurity, Forensics Tools to Watch
June 17, 2013 8:22 am | by Sean Doherty | CommentsAt the Computer and Enterprise Investigations Conference in Orlando, Fla., a number of vendors in computer forensics, cybersecurity, and e-discovery released new products, which make CEIC an annual event for Law Technology News to attend. Cellebrite's UFED series of mobile forensic devices got a new stand-alone application, called UFED Link Analysis.
Secret Surveillance Court May Reveal Some Secrets
June 13, 2013 5:05 pm | by Somini Sengupta | CommentsThe secret court that adjudicates national security-related information requests lifted the veil on its operations a tiny bit, ruling that portions of one of its earlier opinions could be disclosed to the public. The ruling came in a case by the San Francisco-based Electronic Frontier Foundation.
Here's Everything We Know about PRISM to Date
June 13, 2013 4:45 pm | by Timothy Lee | CommentsSince the Guardian and The Washington Post revealed the existence of the NSA’s PRISM program, there’s been a confusing debate about what exactly the program is and how it works. While the Obama administration has tacitly acknowledged the program’s existence, tech companies have angrily denied that they had given the NSA “direct” or “unfettered” access to their servers. So what’s going on?
Positive Response to New iPhone Antitheft Feature
June 12, 2013 8:51 am | by Brian Chen | CommentsThefts of Apple iPhones have become so widespread that the police have coined the term “Apple picking” to describe the crime. Apple says it has come up with a solution for the problem, and legal officials are already showing thanks to the company.
Reversing Basics Part 1: Understanding the C Code
June 11, 2013 4:21 pm | by Editor | CommentsThis is the first in a series of blog posts which will cover basic reversing of a very simple program written in C. The first post will walk through the simple C program and explain how it is constructed and a bit about C syntax and functions.
Sneak Preview: FOR572 on PaulDotCom
June 11, 2013 11:26 am | by Phil Hagen | CommentsYou might have noticed that we recently posted the course description for the upcoming all-new course, FOR572: Advanced Network Forensics and Analysis. FOR572 will include a lot of tcpdump and Wireshark work, but also goes beyond that, using a "big picture" approach that incorporates evidence and methods covering all kinds of network-based systems and devices.
The Most Sophisticated Android Trojan
June 10, 2013 4:33 pm | by Roman Unuchek | CommentsRecently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated. The file turned out to be a multi-functional Trojan capable of sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console.
MOVP II - 4.4 - What's in Your Mac OSX Kernel Memory?
June 10, 2013 11:19 am | by Andrew Case | CommentsToday's post will discuss a number of plugins that can retrieve forensically interesting information from within the kernel. Keep in mind, you can also use mac_yarascan to search kernel memory with yara signatures and you can use mac_volshell as an interactive tool to print kernel data structures, display kernel memory addresses as bytes, dword, qwords, or disassemble code in kernel space.
Have a Taste of Communism with a Mouthful of APT
June 7, 2013 9:54 am | by sinn3r | CommentsEveryone loves a good cyber-espionage story, and we love to put China under the spotlight. Why? Because their methods work. China has some well known hacking groups that have conducted cyber-espionage-oriented attacks, such as the Elderwood Group, Unit 61398 and the Nitro gang.
Vrublevsky Arrested for Witness Intimidation
June 7, 2013 9:18 am | by Editor | CommentsPavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was arrested in Moscow for witness intimidation in his ongoing trial for allegedly hiring hackers to attack against Assist, a top ChronoPay competitor.
Control Panel Forensics: Evidence of Time Manipulation and More
June 5, 2013 5:00 pm | by Chad Tilbury | CommentsThe GUI control panel is a long standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity.
