Attempts to destroy digital evidence are common. Such attempts can be more or less successful depending on the action taken, time available to destroy evidence, as well as the type of storage device (magnetic hard drive, flash memory card, or SSD drive).
The construction and design of SSDs provide many advantages versus traditional hard drives, but...
A question often asked is, “What education and training is necessary to work in digital forensics...
Some of the things I'm most interested in when looking at tools for parsing LNK files include completeness/correctness of output, ease of use, the ease with which I can incorporate the output into my analysis processes, etc. I know that some of these aspects may mean different things to different people ... for example, if you're not familiar with parsing shell item ID lists, how do you determine completeness/correctness?
Addonics Technologies is shipping a new family of USB hardware encryption solutions that protect sensitive data stored on hard drives, removable drives, flash media, optical media, or in the cloud with bullet proof security.
Paraben Corporation, a leader in the digital forensics industry, announced the sale of its enterprise digital forensics platform — P2 Enterprise to CyFIR, Inc. The revolutionary new platform — CyFIR Enterprise — will be released in June 2013. CyFIR, Inc. is excited to continue the development of its P2 Enterprise Investigator product line as CyFIR Enterprise.
At the Computer and Enterprise Investigations Conference in Orlando, Fla., a number of vendors in computer forensics, cybersecurity, and e-discovery released new products, which make CEIC an annual event for Law Technology News to attend. Cellebrite's UFED series of mobile forensic devices got a new stand-alone application, called UFED Link Analysis.
Summation 5.0 represents an enormous leap forward for the Summation product line with a free fully interoperable FTK license for renewing customers. Customers can now use the full power of FTK to forensically process and analyze data and view the processed data directly using the Summation 5.0 interface.
Sometimes, when a computer forensics expert is dissecting a suspect’s computer, the most important question to answer is this: “Am I looking at the original hard-drive, with all of its incriminating evidence, or has that drive been swapped out surreptitiously for a new drive, which will not contain the evidence that I’m hoping to find?”
I have had a run of cases where significant information has been found in the iTunes backups on computers that I have looked at. If you weren't aware, owners of iPhone/iPad/iPod mobile devices can hook them up to their computers for backing-up purposes.
This is the first in a series of blog posts which will cover basic reversing of a very simple program written in C. The first post will walk through the simple C program and explain how it is constructed and a bit about C syntax and functions.
You might have noticed that we recently posted the course description for the upcoming all-new course, FOR572: Advanced Network Forensics and Analysis. FOR572 will include a lot of tcpdump and Wireshark work, but also goes beyond that, using a "big picture" approach that incorporates evidence and methods covering all kinds of network-based systems and devices.
Today's post will discuss a number of plugins that can retrieve forensically interesting information from within the kernel. Keep in mind, you can also use mac_yarascan to search kernel memory with yara signatures and you can use mac_volshell as an interactive tool to print kernel data structures, display kernel memory addresses as bytes, dword, qwords, or disassemble code in kernel space.
Myth: Actions taken by a digital forensics practitioner must not change the data held on a digital device’s storage media if such data is to be relied upon in a court of law. Reality: The Court places no such demand on the digital forensics practitioner.
When local police came calling with child porn allegations last January, former Saint John city councillor Donnie Snook fled his house clutching a laptop. It was clear that the computer contained damning data. Six months later, police have finally gathered enough evidence to land him in jail for a long time to come. With a case seemingly so cut and dry, why the lag time?
GetData Forensics has announced the release of its computer forensics analysis software, Forensic Explorer. With an easy to use interface and a strong forensic tool-set, Forensic Explorer offers investigators a cost effective but powerful alternative to current industry tools.
The GUI control panel is a long standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity.
There's a good bit of information available on artifacts referred to as "shellbags," but not much information, nor discussion, on the underlying data structures within shellbags ... shell items. Shell items are data structures used to identify various elements within the Windows folder hierarchy.
Since the advent of affordable personal computers, digital devices, and later the Internet, these technologies have been used for both legal and illegal purposes, and in order to collect evidence to help prosecute some of the people engaged in the latter, a new science had to be born: digital forensics.
In our investigations it is typical for us to see an attacker use an exploit to first compromise a web server, then launch further attacks against the internal network via a webshell. Looking at the scenario described, the same files were acquired from the Database server and, of course, firewall logs. The ultimate goal is to create a timeline where all actions executed by the attacker(s) are mapped in time.
We'll examine artifacts created after a compromise, yet not directly related to the malware itself. The practice of identifying these artifacts in a formal process allows an investigator to find troves of artifacts/intelligence, even when direct access to the malware is not possible (for example, on a live system with sophisticated kernel-level malware).
Passware Kit Forensic v.12.5 can now recognize hard disk images and containers, such as TrueCrypt, BitLocker, PGP, etc. during a computer scan. For a computer forensic professional this means that no evidence is hidden inside a volume.
Until recently it was standard practice to approach running computers with a “pull-the-plug” attitude without recognizing the amount of evidence lost with the content of the computer’s volatile memory. Capturing and analyzing volatile data is essential for discovering important evidence. Making a RAM dump should become a standard operating procedure when acquiring digital evidence before pulling the plug and taking the hard drive out.
If we make the argument that a degree is necessary in order to be a more effective digital forensic examiner, we need to show a tangible benefit of the time and money spent, particularly when vendor training in digital forensics and forensic tool use may be had for a fraction of the cost, and an even smaller fraction of the time. The case needs to be made not only to aspiring examiners, but also to those who will ultimately hire them.
The means by which data can be forensically retrieved from badly damaged hard drives is being put to extreme tests in the high-profile Sandy Hook Elementary School shooting case in Newtown, CT. The shooter, Adam Lanza, removed the hard drive from his computer, then smashed it before driving to the school, where he murdered 20 first-grade children and six staff members before killing himself.
SSDs are a game changer for forensic investigators, but insight into their operation can make your case. Tablet, notebook, and desktop computers are expected to have sales of about 600 million units worldwide in 2013, and a substantial portion of those will be built using Solid State Drives (SSDs).
Skype is a popular instant messaging, audio and video teleconferencing program. The Skype application data directory contains a file named shared.xml. As the extension implies, the file is XML formatted, but most of the entries are encoded. This encoding has not been documented or reversed to my knowledge.
Ellington Digital Forensics’ services include slipping into homes to preserve snap shots of hard drives before divorce papers are filed, recovering erased text messages on cheating spouses’ cellphones, combing through computers and serving as an expert witness in civil court.