Blogs
SUBSCRIBE TO FREE
DFI News EMAIL NEWSLETTER
Automating USB Device Identification on Mac OS X
January 23, 2013 7:00 pm | CommentsOne of the common methods examiners may use during USB analysis on Mac OS X machines (running Snow Leopard or above) is to search the kernel log for "USBMSC" entries to identify USB devices that have been connected to the machine. BlackBag Technologies has a couple of excellent blog posts here and here describing the logging of USB device information in the kernel log. The "USBMSC" entries appear to have been moved to the system log in...
Why are Some States Reluctant to Adopt eDiscovery Rules?
January 23, 2013 7:00 pm | CommentsI was asked this question on Twitter by @ESIdatabase (Alejandro Mercado) of Electronic Resource Database. He counted 10 states without ediscovery rules — I thought there were nine, but then my math skills are always suspect. He asked for academic thoughts, which he is more likely to get from the venerable Ralph Losey and Josh Gilliland, to whom he also addressed the question....
Booting a Write-blocked Drive in VMware
January 22, 2013 7:00 pm | CommentsThe other day, my colleague, Huey Nguyen, just asked Weg whether he could create a VM from a physically write-blocked disk. That was a great question, particularly as drives get bigger and imaging takes longer. Conceptually, it seemed possible, so I gave it a whirl and will demonstrate the process. First, readers should recall my post about creating VMs from mounted images (E01s). The process basically is the same. However, please reca...
Layering Data
January 22, 2013 7:00 pm | CommentsLayering is defined as the action of arranging something into layers. There are various reasons to why data is layered, but I think the most important one is to show a more accurate picture about something. Each layer may contain different information so when the layers are combined all of the information can be seen. Providing a more accurate picture about something even applies in Digital Forensics and Incident Response (DFIR). I saw ...
Volume Shadow Copy to Logical Evidence File
January 21, 2013 7:00 pm | CommentsEncase (or any other tool) does not offer any direct way of saving contents of a shadow copy to an Encase logical evidence file (L01). However this is easily accomplished by way of a script. If you have encase version 6, this script should do the job for you. Download it here. This is a generic script that allows files from any folder on your local system to be added recursively (with subfolders) to an LEF. The folder you specify can al...
Cracking Android Passwords: The Need for Speed
January 21, 2013 7:00 pm | CommentsIn October, 2012 I posted about a article about cracking Android passwords. I spoke primarily on the difficulty in cracking the passwords based on the sheer number of possibilities (a whopping 37,556,971,331,618,802,349,234,821,094,576!) Don’t believe me? Let’s to a little rehashing: The key space (range of possible ASCII characters) for each position in the password is 94 (upper and lower case letters, digits, and extended ...
Senator Asks Whether Justice Tried to 'Make an Example' of Swartz
January 20, 2013 7:00 pm | CommentsSen. John Cornyn (R-Texas) sent a letter to Attorney General Eric Holder on Friday demanding more information about the prosecution of Aaron Swartz, the co-creator of Reddit and Internet activist who killed himself last week. Cornyn, a top Senate Republican, questioned whether the Justice Department was trying to "make an example" out of Swartz by bringing aggressive hacking charges against him. By Brendan Sasso ...
Rotten Apples: Watch Out for Worms!
January 20, 2013 7:00 pm | CommentsOh, Apple, you've done it to me again! ... With each iOS incarnation, key databases change structure. This is no secret to anyone who examines data from iDevices. The iOS4 sms.db differs greatly from the iOS5 sms.db, and both differ significantly from the new iOS6 sms.db. This is expected, and no heartburn here at all. But last month I was slapped in the face by Apple in an unexpected way: I found two different versions of the sms.db f...
Inside the 1,000 Red October Cyberespionage Malware Modules
January 18, 2013 8:37 am | CommentsThe Red October espionage malware campaign is providing security researchers with a deep dive into the complexity of targeted attacks, which in this case made use of more than 1,000 malware modules for everything from reconnaissance on targets to exfiltration of data to command and control servers. The moving parts behind Red October are vast and have been under wraps for the better part of five years, Kaspersky Lab researchers revealed...
Understanding the Importance of Intelligence
January 17, 2013 7:00 pm | CommentsAs part of M-Unition’s Importance of Intelligence series for the month of January, I recently caught up with Mandiant’s Principal Threat Intelligence Analyst, Jen Weedon, for an interview. Jen brings five years of experience in the cybersecurity field, leading a team and conducting analysis for commercial and government clients. ...
New Java Exploit Fetches $5,000 Per Buyer
January 17, 2013 10:13 am | CommentsLess than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned....
Powerful, Intelligent Screen Capture and Tracking - qTrace
January 16, 2013 7:00 pm | CommentsI wanted to share with you an application we use during software testing called qTrace. It really is a great application and could probably be utilized for evidential capture as well. We are in no way affiliated with the company that makes qTrace (apart from using their software); however, it is definitely worth a look....
Deobfuscating Potentially Malicious URLs
January 15, 2013 7:00 pm | CommentsWhen investigating network security incidents, there are two artifacts of malicious activity that require a great deal of research: Suspicious sites and suspicious files. Obviously, the investigator should never directly navigate to potentially malicious sites or open suspicious files — just in case they turn out to be malicious. Thus, one potential solution is to use third party investigative sites on the Internet. But how many r...
iPhone Forensics: Handset Passcode vs. iOS Backup Password
January 15, 2013 4:51 pm | CommentsOne of our top tech support questions is “Are iOS device passcodes different than iOS backup passwords?” The answer is "yes," and this blog seeks to clarify which is which and how an examiner manages these two credential types during an iPhone or iPad forensic examination....
There are Four Lights: The Analysis Matrix
January 14, 2013 7:00 pm | CommentsI've talked a lot in this blog about employing event categories when developing and, in particular, when analyzing timelines, and the fact is that we can use these categories for much more than just adding analysis functionality to our timelines. In fact, using artifact and event categories can greatly enhance our overall analysis capabilities. This is something that Corey Harrell and I have spent a great deal of time discussing....
